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ABSTRACT 


In  this  thesis,  we  study  a  type  of  affine  equivalence  for  the  monomial  rotation-symmetric 
(MRS)  Boolean  functions  and  two  new  construction  techniques  for  cryptographic  Boolean 
functions  based  on  the  affine  equivalence  of  cryptographically  strong  base  functions  and 
fast  Boolean  operations.  Affine  equivalence  of  cryptographic  Boolean  functions  presents 
a  formidable  challenge  to  researchers,  due  to  its  complexity  and  size  of  the  search  space. 
We  focus  on  an  affine  equivalence  based  on  permutation  of  variables  for  MRS  Boolean 
functions  and  their  relationship  to  circulant  matrices  over  the  binary  field  F2  and  regular 
graphs.  We  first  establish  a  relationship  between  generalized  inverses  of  circulant  matri¬ 
ces  in  F2  and  their  generating  polynomials.  We  then  apply  the  relationship  to  gain  insight 
into  necessary  conditions  for  the  affine  equivalence,  based  on  permutations  of  variables  for 
MRS  Boolean  functions.  We  also  propose  a  theoretical  connection  between  regular  graphs 
and  MRS  Boolean  functions  to  further  our  study  in  affine  equivalence.  Finally,  we  present 
two  constructions  for  Boolean  functions  with  good  cryptographic  properties.  The  con¬ 
structions  take  advantage  of  two  affine-equivalent  base  functions  with  strong  cryptographic 
properties.  We  analyze  the  cryptographic  properties  of  the  constructions  and  demonstrate 
an  application  with  these  base  functions,  called  the  hidden  weighted-bit  functions. 
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1.  INTRODUCTION 


As  we  connect  to  the  Internet  with  increasing  frequency  for  various  services,  the 
need  for  secure  communication  is  higher  than  ever  before.  The  ability  to  email  or  socialize 
electronically  with  the  world  in  a  secure  and  stable  manner  is  crucial  for  today’s  global 
citizen.  We  want  our  financial  transactions  over  the  Internet  to  get  processed  without  error. 
Cyber  warfare  between  nations  and  industrial  espionage  among  corporations  are  common¬ 
place.  A  nation’s  infrastructure  networks  need  impregnable  protection.  We  are  living  in 
a  fast  moving,  networked  world,  and  any  compromised  or  misintended  information  may 
result  in  catastrophic  consequences.  It  is  therefore  a  paramount  requirement  of  every  elec¬ 
tronic  communications  network  system  that  it  provide  every  authorized  user. 

Due  to  the  Internet  revolution,  the  application  of  cryptography  is  no  longer  limited 
to  corporations  or  government  agencies.  Any  entity  on  the  Internet  has  the  need  to  protect 
information  in  storage  and  data  in  transit  to  another  part  of  the  network.  This  protection, 
attained  via  complex  (mostly  mathematical)  schemes  called  cryptosystems,  is  an  integral 
part  of  any  reliable  network  service.  At  the  heart  of  every  cryptosystem  is  a  cipher.  A 
cipher  is  a  set  of  algorithms  used  to  encrypt  and  decrypt  a  message.  An  encrypted  message 
in  any  language  is  called  ciphertext,  and  an  unencrypted  message  is  called  plaintext.  In 
general,  there  are  two  types  of  cryptosystems;  asymmetric  and  symmetric.  The  security  of 
a  modern  electronic  cipher  often  depends  on  secret  keys  that  are  essential  for  encryption 
and  decryption  processes.  An  asymmetric  cipher  uses  different  keys  to  encrypt  and  decrypt 
a  message,  and  the  connection  between  the  encryption  and  decryption  keys  is  based  upon 
a  known  (and  well  studied)  mathematical  problem.  RSA  (the  initials  of  the  surnames  of 
its  designers,  Ron  Rivest,  Adi  Shamir  and  Leonard  Adleman)  is  a  well  known  asymmetric 
cipher.  Compared  to  symmetric  ciphers,  asymmetric  ciphers  are  generally  slow.  However, 
asymmetric  ciphers  have  added  more  functionality,  such  as  message  authentication  and 
digital  signature  and  are  more  efficient  in  secret-key  management,  since  they  require  fewer 
secret  keys.  A  symmetric  cipher  uses  the  same  secret  key  to  encrypt  and  decrypt  a  message. 
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It  is  faster  than  asymmetric  cipher,  but  requires  more  secret  keys,  since  each  pair  of  users 
on  the  network  needs  to  have  a  unique  key.  This  makes  secret-key  management  a  difficult 
task.  Depending  on  how  a  symmetric  cipher  processes  a  message  before  encryption  or  de¬ 
cryption,  a  symmetric  cipher  can  be  further  classified  into  a  block  or  stream  cipher.  A  block 
cipher  breaks  down  a  message  into  64,  128,  192  or  256  binary  bit  blocks  and  encrypts  the 
message  by  blocks.  The  decryption  of  a  block  cipher  is  usually  accomplished  by  revers¬ 
ing  the  encryption  process.  Data  Encryption  Standard  (DES)  and  Advanced  Encryption 
Standard  (AES)  are  well  known  examples  of  block  ciphers.  On  the  other  hand,  a  stream 
cipher  encrypts  and  decrypts  a  bit  at  a  time.  For  example,  GSM  (Global  System  for  Mobile 
Communications),  a  wireless  communications  protocol,  uses  a  stream  cipher  called  A5/1. 

The  subject  of  this  thesis,  cryptographic  Boolean  functions,  applies  to  both  ciphers 
—  asymmetric  and  symmetric.  Boolean  functions  can  be  key  components  to  hashing  al¬ 
gorithms  of  asymmetric  ciphers.  Cryptographic  Boolean  functions  can  also  be  an  element 
for  block  cipher  design  and  analysis.  A  good  illustration  of  this  is  DES.  Figure  1.1  shows 
the  DES  encryption  process.  Despite  all  the  seemingly  complex  procedures  and  diagrams, 
the  only  nonlinear  component  in  DES  is  the  substitution  process  in  the  function  /,  which 
uses  a  lookup  table  called  substitution  box  or  ,S'- box  to  simply  shuffle  data.  Surprisingly, 
in  DES,  the  5-boxes  are  the  only  component  that  integrates  significant  complexity  to  the 
cipher.  The  5-box  is  the  keystone  of  the  security  of  DES.  The  same  is  true  for  AES.  It  is 
possible  to  analyze  an  5-box  with  cryptographic  Boolean  functions  and  measure  the  secu¬ 
rity  of  a  block  cipher  against  known  attacks.  We  can  also  design  another  set  of  5-boxes  for 
DES,  which  optimizes  certain  cryptographic  properties  of  Boolean  functions  [1]. 

The  two  important  qualities  of  a  cipher  are  security  and  speed.  They  often  con¬ 
flict  with  each  other  and  affect  the  decision  to  choose  the  optimum  cryptographic  Boolean 
functions  for  a  cipher.  The  two  broad  topics  of  this  thesis  are  the  affine  equivalence  and 
construction  of  Boolean  functions  with  good  cryptographic  properties.  A  cryptographic 
Boolean  function  of  n  variables  takes  an  n  dimensional  Boolean  vector  and  maps  it  to  0  or 
1.  Two  Boolean  functions  are  affine  equivalent  if  we  can  obtain  one  from  the  other  through 
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Figure  1.1:  Data  Encryption  Standard  (DES)  Diagram  From  [2] 

a  set  of  affine  transformations.  By  reflexivity,  symmetry,  and  transitivity,  the  affine  equiv¬ 
alence  is  an  equivalence  relation.  Therefore,  it  partitions  any  set  of  Boolean  functions  into 
equivalence  classes.  A  cryptanalyst  can  take  advantage  of  the  partitioning  to  devise  an  ef¬ 
ficient  algorithm  to  test  the  security  of  a  cipher.  He  needs  only  to  consider  the  equivalence 
classes  instead  of  all  possible  Boolean  functions  for  the  cipher,  since  affine  transformations 
preserve  many  of  the  cryptographic  properties.  On  the  other  hand,  cryptographic  engineers 
can  integrate  affine  equivalent  functions  with  good  cryptographic  properties  for  speed  and 
simplicity.  For  example,  instead  of  using  the  same  function,  they  may  use  affine  equiva¬ 
lence  classes  of  the  function  to  increase  security.  They  can  also  avoid  the  equivalence  class 
of  a  cryptographically  weak  function,  since  they  are  inherently  a  security  risk.  Affine  equiv¬ 
alence  is  notoriously  complex  and  often  requires  unrealistic  computing  resources.  In  this 
thesis,  we  focus  on  an  affine  equivalence  of  monomial  rotation-symmetric  (MRS)  Boolean 
functions.  A  rotation- symmetric  Boolean  function  (RSBF)  is  a  Boolean  function  such  that 
a  Boolean  vector  and  its  rotation  equivalents  render  the  same  function  value.  For  example, 
if  a  Boolean  function  /(x)  is  a  RSBF  of  three  variables  x  =  (aq,  x2,  x3),  then  the  vector 
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(0,  0, 1)  and  its  rotation  equivalents  (1,  0, 0)  and  (0, 1,  0)  have  the  same  function  value.  In 
other  words,  /((0,  0, 1))  =  /((0,0, 1))  =  /((0,  0, 1)).  RSBFs  are  well  known  for  their 
speed  [3],  and  some  cryptographically  strong  Boolean  functions  are  rotation  symmetric. 
An  MRS  Boolean  function  is  a  special  type  of  RSBF,  which  we  formally  define  in  Chapter 
4.  Construction  techniques  of  cryptographic  Boolean  functions  may  be  less  relevant  to  the 
ciphers,  such  as  DES  and  AES,  since  they  use  key-invariant  5-boxes.  However,  ciphers 
such  as  BLOWFISH  and  TWOFISH  use  key-dependent  5-boxes.  Efficient  construction 
techniques  for  5-boxes  can  be  a  crucial  part  of  the  ciphers  with  dynamic  5-boxes.  We 
study  two  techniques  using  affine  equivalence  of  cryptographically  strong  base  functions 
and  two  simple  Boolean  operations,  concatenation  and  complementation.  These  construc¬ 
tions  provide  the  flexibility  to  choose  a  customized  base  function  with  good  cryptographic 
properties,  as  well  as  speed  due  to  the  simplicity  of  the  Boolean  operations.  We  also  present 
an  application  of  our  methods,  using  the  hidden  weighted-bit  function,  which  is  resistant  to 
a  binary  decision  diagram  (BDD)-related  attack. 

The  rest  of  the  dissertation  is  outlined  as  follows. 

In  Chapter  2,  we  formally  define  basic  terminology  and  principles  of  cryptographic 
Boolean  functions.  We  illustrate  applications  of  cryptographic  Boolean  functions  and  re¬ 
view  common  cryptographic  properties. 

In  Chapter  3,  we  delve  into  circulant  matrices  and  introduce  some  results  regarding 
the  general  inverse  of  circulant  matrices.  We  study  a  necessary  condition  for  an  affine 
equivalence  based  on  a  permutation  of  input  variables  for  MRS  Boolean  functions. 

In  Chapter  4,  we  study  the  relationship  between  MRS  Boolean  functions  and  regular 
graphs.  We  establish  a  basic  relationship  and  suggest  other  possibilities. 

In  Chapter  5,  we  study  two  different  ways  to  construct  Boolean  functions  with  good 
cryptographic  properties  via  affine  transformation,  concatenations,  and  complementations 
of  cryptographically  strong  base  functions. 
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In  Chapter  6,  we  briefly  introduce  BDD  and  cryptanalysis  based  on  its  properties. 
We  present  an  application  based  on  hidden  weighted-bit  function  for  our  construction  meth¬ 
ods.  We  analyze  cryptographic  properties  of  these  constructions. 

In  Chapter  7,  we  summarize  and  reflect  on  the  main  contribution  of  this  thesis.  We 
also  suggest  some  ideas  for  future  research. 


5 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


6 


2.  CHARACTERISTICS  OF  CRYPTOGRAPHIC  BOOLEAN 

FUNCTIONS 


2.1.  BASIC  DEFINITIONS  AND  FUNDAMENTAL  PROPERTIES 


First,  we  introduce  a  commutative  binary  operation,  “exclusive-or”  or  XOR,  de¬ 
noted  by  “0”  over  the  set  {0,  1}.  The  Table  2.1  shows  the  truth  table  for  the  XOR  opera¬ 
tion. 


© 

0 

1 

0 

0 

1 

1 

1 

0 

Table  2.1:  Binary  Operation  XOR 


We  also  define  a  multiplication  in  {0,  1}  in  the  usual  way.  This  operation  is  equiva¬ 
lent  to  logical  “AND”  operation.  The  Table  2.2  shows  the  truth  table  for  the  multiplication 
operation. 


0 

1 

0 

0 

0 

1 

0 

1 

Table  2.2:  Binary  Operation  ■ 


We  note  that  {0,1}  with  ©  and  •  forms  the  smallest  Galois  field. 

Definition  2.1.1.  Let  the  set  {0,  1}  with  the  XOR  operation  and  the  usual  multiplication 
be  the  binary  or  Boolean  field,  denoted  by  F2.  The  set  of  n-tuples  (a©  x2,  ■ . . ,  xn),  denoted 
by  where  xt  e  F2  with  1  <  i  <  n  is  an  n  dimensional  vector  space  over  F2. 

We  use  the  terms  Boolean  vectors  and  Boolean  strings  interchangeably.  The  Boolean 
vector  space  has  many  common  properties  of  other  vector  spaces,  such  as  M"  and  C"  . 

We  now  proceed  to  define  a  Boolean  function  of  n  variables. 
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Definition  2.1.2.  We  define  a  Boolean  function  /  of  n  variables  as  a  mapping 


/  :  — ►  F2. 

A  Boolean  function  /  takes  an  n  dimensional  vector  of  l’s  and  0’s  as  input,  and  returns  1 
or  0  as  the  function  value.  We  denote  the  set  of  all  Boolean  functions  of  all  variables  as  B , 
and  the  set  of  all  n  variable  Boolean  functions  as  Bn.  We  use  the  terms  “Boolean  function 
of  n  variables”  and  “Boolean  function”  interchangeably. 

By  applying  the  product  rule  of  combinatorics,  we  observe  that  the  domain  of 
/  G  Bn  has  cardinality  2".  We  usually  order  the  domain  in  a  lexicographical  order.  We 
distinguish  two  types  of  lexicographical  ordering,  depending  on  how  the  elements  of  the 
vector  domain  are  ordered.  One  is  the  backward  ordering ,  where  we  order  the  components 
of  the  vector  x  such  that  x  =  (xn,  xn_ i , . . . . ,  x2,  xf).  Therefore,  the  domain  vectors  are 

lexicographically  ordered  such  that  (0,  0, ... ,  0,  0),  (0,  0, ... ,  0, 1),...,(1, 1, . , 1, 1).  The 

other  is  the  forward  ordering ,  where  we  order  the  components  of  the  vector  x  such  that 
x  =  (xi,x2,  ■  •  • ,  a:n_i ,  xn).  Therefore,  the  domain  vectors  are  lexicographically  ordered 
such  that  (0,  0, ... ,  0,  0),  (1,0,...,  0,  0),...,(1, 1, . . . ,  1, 1).  When  we  say  “lexicographical 
order”,  we  mean  the  backward  ordering,  unless  stated  otherwise.  For  convenience,  we 
regard  the  vectors  as  row  vectors  and  use  forward  ordering  unless  stated  otherwise. 

The  most  popular  way  to  define  a  Boolean  function  of  n  variable  is  to  list  the 
function  values  as  they  match  the  lexicographically  ordered  domain,  which  results  in  a 
2n  dimensional  Boolean  vector  or  string.  The  first  column  of  Table  2.3  depicts  a  Boolean 
function  of  3  variables,  /(x)  with  its  truthtable  10011101. 

Remark  2.1.3.  For  convenience,  we  note  that  /  means  the  truth  table  representation  of  a 
Boolean  function  /,  and  /(x)  means  the  function  value  at  the  particular  vector  x. 

Definition  2.1.4.  Given  a  Boolean  function  /,  the  complement  of  /  ,  denoted  by  /,  is  /©  1. 
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We  observe  that  /  merely  flips  or  changes  the  function  values  of  /.  That  is,  if 
/(x)  =  1,  then  /  (x)  =  0,  and  if  /(x)  =  0,  then  /(x)  =  1.  The  complement  of  the  function 
on  Table  2.3  is  01100010. 

Lemma  2.1.5.  /  ©  /  =  0,  and  f  ©  /  =  1  where  0  =  (0,  0, . . . ,  0)  and  1  =  (1, 1, ... ,  1). 

Remark  2.1.6.  For  convenience,  we  use  string  and  vector  notations  interchangeably  in  this 
thesis.  For  example,  10011101  =  (1,  0,  0, 1, 1, 1,  0, 1). 

By  the  product  rule  of  combinatorics,  there  are  22"  Boolean  functions  of  n  variables. 
Another  operation  commonly  used  in  is  concatenation. 

Definition  2.1.7.  Given  two  Boolean  vectors,  /  =  ciia2  . . .  am  and  g  =  b\b2  ■  ■  ■  bn  with 
a*,  bj  G  F2  and  m  and  n  in  N,  the  concatenation  of  /  and  g.  denoted  by  /  ||  g,  is  an  m  +  n 
vector  obtained  by  simply  combining  the  elements  of  /  and  g  in  order.  That  is, 

./lit?  aia2  . . .  cimbib2  . . .  bn. 

Example  2.1.8.  Table  2.3  shows  the  various  expression  of  a  Boolean  function.  It  is  inter¬ 
esting  to  note  that  /  =  1001  ||  1101,  where  1001,  1101  G  B2  and  /  G  £>3. 

Another  way  to  express  the  truth  table  is  to  take  —1  to  the  power  of  the  function 
value.  This  set  up  gives  us  more  options  to  aggregate  some  Boolean  measures  in  M. 

Definition  2.1.9.  Given  the  truth  table  of  a  Boolean  function  /(x),  we  define  the  character 
form  or  sign  function  [4,  p.  6]  of  /(x),  denoted  by  /(x) 

/(X)  = 

It  is  clear  that  /(x)  G  {  —  1,  1},  and  also  /(x)  =  1  —  2  •  /(x). 

The  second  column  of  Table  2.3  depicts  a  Boolean  function  of  3  variables  /(x), 
as  —1, 1, 1,  —1,  —1,  —1, 1,  —1  in  sign  function.  The  next  lemma  describes  the  relationship 
between  the  truth  table  and  the  sign  function. 
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Lemma  2.1.10.  [4,  p.  6]  If  f,  g  G  Bn  and  h  —  f  ©  g,  then  h  =  fg. 


We  call  a  multiplication  term  of  Boolean  variables,  regardless  of  the  power  of  each 
variable,  a  monomial.  For  example,  x\  ■  x®  ■  x3  =  x3x3  is  a  monomial.  Given  x  = 
(xn, . . .  ,xi)  with  Xi  =  {0,  1}  and  1  <  i  <  n,  we  observe  that 

(ry  .  \  ^  ry  .  .  ry  .  .  .  rr»  .  ry  . 

'A'lJ  'A'l  *  *  ‘ 

for  k  G  N.  We  can  write  a  polynomial-like  expression  for  Boolean  functions,  using  mono¬ 
mials  and  ©.  When  we  list  the  all  the  possible  monomials  in  lexicographical  order,  we  can 
regard  the  set  of  all  the  Boolean  functions  of  n  variables  as  the  set  of  the  all  possible  XOR- 
combinations  of  n  variable  monomials.  We  can  also  assign  a  unique  2"  dimensional  vector 
over  F2  to  all  possible  monomials  to  write  an  XOR  combination  of  n  variable  monomials 
in  the  following  way. 

Definition  2.1.11.  The  algebraic  normal  form  (ANF)  of  a  Boolean  function  /(x)  is  an 
XOR  sum  of  monomials  such  that 

3= 2" 

fiV'i  —  ATA  „  . 

J  —  h  X1  x2  xn  i 

aeFJ 

3  =  1 

where  a  =  (ai,  a2,  ...  an ),  c  =  (ci,  c2, . . . ,  c2«),  and  Cj  G  F2  for  i  =  1,2,...,  orn 
and  j  =  1,  2, . . . ,  or2n. 

Example  2.1.12.  The  expression  below  illustrates  the  ANF  of  /(x)  below.  Typically,  we 
order  the  vector  a  lexicographically  and  obtain  binary  string  /(x)  =  0001000000001000 
of  length  2n  long. 
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/(x)  =  xxx2  ©  x3x4 


...  fTN  1  .  /y.0^0^1  ^>1  /T\  fTN  n  .  AP\  (")  . 

'□y  -*-  ^i^2,/y3'ly4  vP  •  •  •  vi7  ^  ^i^2,ly3'ly4  NE7  '-'  «*'  1  2 3 4 • 

We  also  note  that  the  ANF  of  a  Boolean  function  is  unique. 

A  Boolean  function  may  be  better  understood  with  one  expression  type  of  /(x)  than  an¬ 
other.  We  transform  an  ANF  of  a  Boolean  function  /(x)  to  the  truth  table  of  /(x)  by 
simply  evaluating  the  function  value  with  the  ANF.  We  can  transform  a  truth  table  in  Table 
2.3  into  an  ANF  expression  by  adding  the  monomials  derived  by  the  input  values  x  such 
that  /(x)  =  1.  We  demonstrate  this  process  in  the  next  example. 

Example  2.1.13.  The  truth  table  of  the  Boolean  function,  /(x)  on  Table  2.3  is  10100111, 
where  /(000)  =  /( 010)  =  /( 101)  =  /(HO)  =  /(111)  =  1.  We  construct  each  term  to 
ensure  that  /(x)  =  1  whenever  x  happens  to  be  one  of  the  vectors  listed.  For  example, 
since  /(Oil)  =  1,  we  want  to  have  the  term  xix2(x3  ©  1)  for  x±  —  1,  x2  —  1,  x3  =  0.  And 
we  apply  this  to  each  x  with  /(x)  =  1  to  obtain 

/(x)  =  (x3  ©  l)(x2  ©  l)(xi  ©  1)  ©  (x3  ©  l)x2X!  ©  x3(x2  ©  1)^1 

®x3x2(xi  ©  1)  ©  x3x2xi 

=  1  ©  X\  ©  x2  ©  X\  ■  x3  ©  Xi  ■  x2  ■  x3. 
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n  —  3 

/(x) 

/(x) 

ANF(f(x)) 

000 

1 

-1 

1 

001 

0 

1 

1 

010 

0 

1 

1 

Oil 

1 

-1 

0 

100 

1 

-1 

0 

101 

1 

-1 

1 

110 

0 

1 

0 

111 

1 

-1 

1 

Table  2.3:  Various  Representation  of  a  Boolean  function  /(x) 

There  is  a  more  efficient  way  to  construct  the  ANF  from  the  truth  table  (and  vice 
versa),  called  transeunt  triangle,  and  we  refer  to  [5]. 

Definition  2.1.14.  The  ANF  of  a  Boolean  function  gives  us  some  important  measures  on 
the  function.  In  an  ANF,  the  number  of  variables  in  the  highest-order  monomial  with 
nonzero  coefficient  is  called  the  degree  of  the  Boolean  function.  A  Boolean  function  is 
homogeneous  if  all  its  ANF  terms  have  the  same  degree.  A  Boolean  function  is  nonhomo- 
geneous  if  it  is  not  homogeneous. 

Example  2.1.15.  The  function  in  Example  2.1.12  is  a  homogeneous  Boolean  function  with 
degree  2,  whereas  the  function  below  is  a  nonhomogeneous  Boolean  function  with  degree 
5. 

/(x)  =  XXX2  ©  XiX2X3XiX5. 

The  degree  of  a  Boolean  function  is  one  of  the  most  important  cryptographic  proper¬ 
ties  in  a  cipher.  We  discuss  the  cryptographic  implications  of  the  degree  in  the  next  section. 
A  Boolean  function  of  degree  “at  most,  one”  is  an  affine  function.  An  affine  function  with 
the  constant  term  equal  to  zero  is  called  a  linear  function.  The  set  of  all  n  variable  affine 
(respectively  linear)  functions  is  denoted  by  An  (respectively  Cn). 

Let  /  e  Bn  and  E  be  any  flat  (that  is,  a  coset  of  a  vector  subspace).  If  the  restriction 
f\E  of  /  to  E  is  constant  (respectively  affine),  then  E  is  called  a  constant  (respectively 
affine)  flat  for  /. 
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Let 

i/  =  {xeR|/(x)  =  l} 

be  the  support  of  a  Boolean  function  /.  We  define  the  complement  of  the  support 

o/  =  {xeF;|/(x)  =  o}. 

We  also  note  the  usual  dot-product  operation  of  two  vectors  in  the  context  of  Boolean 
vectors.  Let  x  =  (xn, . . . ,  xi)  and  w  =  (wn, . . . ,  wf)  both  belonging  to  and  x  •  w  = 

XnWn  ©  ...  ©  XiWi- 

Definition  2.1.16.  The  number  of  l’s  in  a  binary  string  or  vector  x  denoted  by  wt(x),  is 
called  the  Hamming  weight. 

We  can  apply  the  same  idea  to  the  truth  table  of  a  Boolean  function  /.  The  Ham¬ 
ming  weight  of  /  is  the  Hamming  weight  of  the  truth  table  of  /.  The  Hamming  weight  of 
the  Boolean  function  on  Table  2.3  is  5.  We  also  observe  that  the  cardinality  of  1/  is  the 
Hamming  weight  of  /. 

Lemma  2.1.17.  Given  f  e  Bn, 

wt(f)  =  'E,m=  (2"-£/(x) 

xeF£  V  xeFJ 

Definition  2.1.18.  Given  two  binary  vectors  (or  strings)  of  same  length,  x  =  (xi,  x2, . . .  xn) 
and  y  =  (yi,  y2, , . .  yn).  The  Hamming  distance ,  denoted  by  rf(x,  y),  between  the  two  vec¬ 
tors  is  the  number  of  indices  where  they  have  different  binary  values. 

For  example,  if  x  =  (0, 1,  0,0, 0,0,0)  and  y  =  (1,1, 1,1, 1,1,0),  d(x,y)  =  5  since  the 
elements  of  x  and  y  are  different  in  the  indices  1,  3,  4,  5,  6. 

Lemma  2.1.19.  Given  two  Boolean  functions  of  n  variables  f  =  xi,x2, . . .  x*,  and  g  = 
yi,  y2, .  ■  • ,  yk  in  truth  table,  d(f,  g)  =  wt(f  ©  g). 
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Lemma  2.1.20.  For  two  Boolean  functions  f  and  g, 


d(f,  g)  =  2'-1  - \f-9. 

Next,  we  introduce  an  important  measure  of  Boolean  functions. 

Definition  2.1.21.  [4,  p.  7]  Given  a  Boolean  function  /,  the  Walsh  transform  of  /  on  a 
vector  w  is  an  integer  value  function  defined  by 

n-'(/)(w)  =  £/(x)(-ir* 

xeFj 

We  can  recover  /  by  the  inverse  Walsh  transform, 

xSFg 

Another  way  to  measure  a  Boolean  function  is  the  Walsh  transform  of  /  on  w,  denoted  by 
Wf( w).  We  refer  to  it  as  the  Walsh-Hadamard  transform  of  /(x). 


w,(  w)  =  ^/<x)(- ir* 

xSFJ 


E*-1) 


/(x)+w-x 


xeF" 


The  Walsh  transform  of  /  on  w  essentially  measures  the  Hamming  distance  be¬ 
tween  /  and  the  linear  function  defined  by  the  vector  w,  which  is 


W  •  X  =  W 1X1  ©  w2x2  ©  •  •  •  ©  VJnXn. 

We  use  this  result  to  define  the  nonlinearity  of  a  Boolean  function  in  the  next  section. 
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Next,  we  discuss  a  concept  analogous  to  a  “directional  derivative”  [4,  p.  38].  Given 
a  Boolean  function  /(x)  and  an  arbitrary  vector  u,  we  can  consider  a  measure  on  /(x)  with 
respect  to  a  vector  u. 

Definition  2.1.22.  Given  a  Boolean  function  /,  the  derivative  of  /  with  respect  to  a  vector 
u,  denoted  by  Duf,  is  defined  by 

Duf  =  /(x)  ©  /(x©  u). 

If  /(x)  =  /(x  ©  u),  Duf  =  0.  If  /(x)  f  /(x  ©  u),  Duf  =  1.  Therefore, 
Duf(x)  counts  the  number  of  input  values  in  which  function  values  change  when  the 

xeF£ 

change  in  direction  of  u  is  applied.  We  can  apply  the  same  idea  to  /  and  obtain  Duf  = 
/(x)/(x  ©  u),  so  that  Duf  e  {  —  1,  1}.  When  we  aggregate  Duf  over  x  e  Fg,  we  have 
the  following  definition  for  measuring  how  sensitive  a  Boolean  function  is  in  the  domain. 

Definition  2.1.23.  [4,  p.  8]  The  autocorrelation  function  of  /  e  Bn  with  respect  to  u  e  F£, 
denoted  Cf( u)  is  defined  by 


Cf{u)  =  /(x)  '  /(x  ©  u) 

xeF^- 

=  ^  (_i)/We/(xeu)_ 

xeF^ 

We  note  that  Cj(0)  =  2". 

The  autocorrelation  function  measures  the  overall  change  of  /  as  a  result  of  the  shift 
or  change  caused  by  a  vector  u  in  the  domain.  We  argue  that  if  the  overall  change  is  half 
of  2n,  the  statistical  impact  of  the  shift  of  u  is  zero.  This  notion  gives  us  a  cryptographic 
property  called  the  strict  avalanche  criterion  (SAC),  a  concept  invented  by  Webster  and 
Tavares  and  published  in  Crypto  85,  which  we  elaborate  in  the  next  section.  We  can  apply 
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a  similar  idea  to  the  autocorrelation  function  of  two  Boolean  functions  and  measure  how 
they  are  related  to  each  other  with  respect  to  a  vector. 

Definition  2.1.24.  [4,  p.  8]  The  correlation  between  two  Boolean  functions  /  and  g  is 
defined  by 


C(f,  g) 


djL  a) 

2n-l 


The  correlation  function  between  /  and  g  with  respect  to  u  e  FJf  is  an  integer 
valued  function  defined  by 


C(f,  g)( u)  =  J^/(x)<?(x®  u). 

xeFj 

S- boxes  of  block  ciphers  may  employ  multiple  cryptographic  Boolean  functions. 
We  want  to  reduce  the  correlation  between  functions  as  well  as  the  autocorrelation  function 
values  of  each  function  used,  to  minimize  the  risk  of  a  correlation  attack. 

The  concept  of  a  derivative  gives  us  another  interesting  measure  of  a  cryptographic 
function,  namely  linear  structure. 

Definition  2.1.25.  [6],  [7]  If  the  derivative  of  /  G  Bn  in  respect  to  the  u  e  F.®  Duf  is 
constant,  then  u  is  a  linear  structure  of  /.  If  the  linear  structures  of  /  form  a  subspace  in 
Fj,  we  call  this  subspace  a  linear  space  of  /. 

Depending  on  the  constant  derivative,  we  can  further  classify  a  linear  structure  u 
into  two  types  0 —linear  structure ,  denoted  by  LS0(f )  if  Duf  =  0,  and  l— linear  structure , 
denoted  by  LSi(f)  if  Duf  =  1. 

Theorem  2.1.26.  [8]  If  LS\  (  /  )  f  <p,  the  dimension  of  the  entire  linear  space  of  f  is  equal 
to 


dim(LS'0(/))  +  1. 
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In  [9],  the  concept  of  linear  structure  was  used  to  show  that  the  strict  avalanche 
criterion  is  local  in  the  sense  of  a  derivative,  and  may  not  be  enough  to  protect  a  block 
cipher  from  a  statistical  attack. 

2.2.  APPLICATION  OF  CRYPTOGRAPHIC  BOOLEAN  FUNCTIONS 

In  this  section,  we  briefly  comment  on  some  applications  of  cryptographic  Boolean 
functions.  Boolean  functions  are  typically  used  for  the  construction  of  5-boxes  for  block 
ciphers,  nonlinear  filters  for  a  linear-feedback  shift  register  (LFSR),  nonlinear  combiners 
for  multiple  LFSRs  in  a  stream  cipher,  or  hashing  functions  in  an  asymmetric  cipher. 

2.2.1.  Block  Ciphers 

A  block  cipher  breaks  down  the  text  into  blocks  of  some  size,  and  enciphers  and  de¬ 
ciphers  it  block  by  block.  Boolean  functions  play  a  crucial  role  in  analyzing  and  designing 
block  ciphers.  The  two  prominent  techniques  to  design  a  block  cipher  are  Feistel  ciphers 
and  substitution  permutation  networks  (SPNs).  Regardless  of  the  scheme,  it  uses  substitu¬ 
tion  boxes  or  5-boxes.  For  example,  DES  uses  eight  fixed  5-boxes,  which  convert  a  six-bit 
input  string  to  a  four-bit  string.  Table  2.4  shows  the  first  5-box  of  DES,  which  consists 
of  four  lookup  tables  numbered  0  through  15.  Each  row  can  be  represented  by  a  vecto¬ 
rial  Boolean  function,  F(x)  :  Ff  — »  Ff,  which  can  be  composed  with  four  four-variable 
Boolean  functions.  Each  function  takes  a  six-bit  string  and  extracts  the  first  and  the  last  bit 
to  determine  which  row  of  the  table  to  use.  Then,  the  middle  four  bits  process  through  the 
vectorial  function  to  output  the  substitution  value.  Table  2.5  shows  the  Boolean  represen¬ 
tation  of  the  first  5-box,  and  Table  2.6  lists  the  four  cryptographic  Boolean  functions  for 
the  first  row  of  the  first  5-box. 

Typically,  5-boxes  are  the  only  nonlinear  features  in  a  block  cipher.  Without  non¬ 
linear  5-boxes,  almost  all  block  ciphers  could  be  solved  with  little  effort.  Therefore,  when 
designing  an  5-box  for  a  block  cipher,  we  must  consider  known  relevant  cryptographic 
characteristics  of  5-boxes  to  optimize  their  security.  In  [1],  a  complete  set  of  replacement 
5-boxes  for  DES  based  on  Boolean  functions  is  presented. 
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Row\Col 

0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

0 

14 

4 

13 

1 

2 

15 

11 

8 

3 

10 

6 

12 

5 

9 

0 

7 

1 

0 

15 

7 

4 

14 

2 

13 

1 

10 

6 

12 

11 

9 

5 

3 

8 

2 

4 

1 

14 

8 

13 

6 

2 

11 

15 

12 

9 

7 

3 

10 

5 

0 

3 

15 

12 

8 

2 

4 

9 

1 

7 

5 

11 

3 

14 

10 

0 

6 

13 

Table  2.4:  1st  S-box  of  DES  in  Decimal  From  [4,  p.  170] 


Row\Col 

0000 

0001 

0010 

0011 

0100 

0101 

0110 

0111 

00 

1110 

0100 

1101 

0001 

0010 

nil 

1011 

1000 

01 

0000 

mi 

0111 

0100 

1110 

0010 

1101 

0001 

10 

0100 

0001 

1110 

1000 

1101 

0110 

0010 

1011 

11 

mi 

1100 

1000 

0010 

0100 

1001 

0001 

0111 

Row\Col 

1000 

1001 

1010 

1011 

1100 

1101 

1110 

nil 

00 

0011 

1010 

0110 

1100 

0101 

1001 

0000 

0111 

01 

1010 

0110 

1100 

1011 

1001 

0101 

0011 

1000 

10 

nil 

1100 

1001 

0111 

0011 

1010 

0101 

0000 

11 

0101 

1011 

0011 

1110 

1010 

0000 

0110 

1101 

Table  2.5:  1st  S-box  of  DES  in  Binary 


Col 

Boolean  Function  (ANF  and  Truth  Table) 

1 

1  ©  Xi  ©  X3  ©  X4  ©  X2x3  ©  X3X4  ©  XiX2X3  ©  X2X3X4 

1010011101010100 

2 

1  ©  x3  ©  X4  ©  X\X2  ©  X\X3  ©  X2X4  ©  XiX2X4 

1110010000111001 

3 

1  ©  Xi  ©  X2  ©  X\X2  ©  X\X3  ©  X2X3  ©  X1X4  ©  X2X4  ©  X3X4  ©  X\X3X4  ©  X2X3X4 

1000111011100001 

4 

X2  ©  X4  ©  X\X3  ©  X1X4  ©  X\X2X4 

0011011010001101 

Table  2.6:  Boolean  Function  Representation  of  the  First  Row  of  the  First  S-box  of  DES 


The  S-boxes  in  DES  are  predetermined  and  typically  implemented  as  a  lookup  table 
for  simplicity.  However,  block  ciphers,  such  as  BLOWFISH  [10]  and  TWOFISH  [11],  do 
not  use  fixed  lookup  tables  (S’-boxes),  since  they  generate  S-boxes  from  the  key  for  each 
session. 


18 


2.2.2.  Stream  Ciphers 

A  stream  cipher  encrypts  a  plaintext  bit  by  bit  with  secret-key  stream  bits.  In  gen¬ 
eral,  an  XOR  operation  of  a  plaintext  bit  and  secret-key  stream  bit  results  in  a  ciphertext  bit. 
A  stream  cipher  integrates  pseudo-random  bit  generators  (PRBG)  to  produce  a  key  stream. 
In  electronic  circuits,  a  shift  resister  is  a  sequential  logic  circuit  for  storage  of  binary  data. 
It  is  set  up  in  a  linear  fashion  such  that  the  stored  data  is  shifted  to  a  predetermined  direction 
when  the  circuit  is  on.  A  linear-feedback  shift  register  (LFSR)  is  a  shift  register  which  takes 
the  output  of  a  linear  function  of  two  or  more  bits  from  its  previous  state  [4,  p.  19].  We 
assume  an  LFSR  has  n  >  1  variables.  Table  2.7  shows  the  LFSR  sequence  generated  by 
the  Boolean  function  of  4  variables,  aq  ©  x4  with  the  initial  vector  x  =  x4x2x3x4  =  0101. 
For  example,  from  the  initial  vector,  aq  =  0  and  x4  =  1.  Therefore,  aq  ©  x4  =  0  ©  1  =  1. 
This  feedback  sets  the  next  aq  =  1,  and  the  previous  aq,  x2,  and  x3  shift  to  x2,  x3,  and  x4, 
respectively,  which  sets  the  next  state,  x  =  x\x2x3x4  =  1010.  It  repeats  this  process  until 
the  LFSR  obtains  the  initial  vector  again.  The  number  of  steps  needed  to  reach  the  initial 
vector  is  called  the  cycle  of  an  LFSR.  We  note  that  the  LFSR  on  Table  2.7  has  a  cycle  of 
24  —  1  =  15,  which  is  the  maximum  cycle  possible. 


Figure  2.1:  LFSR  of  aq  =  aq  ©  x4 


We  can  integrate  a  nonlinear  filter  or  an  n  variable  Boolean  function  with  good 
cryptographic  properties  to  generate  secure  key  streams. 

One  way  to  construct  a  PRBG  is  to  combine  LFSRs  and  cryptographic  Boolean 
functions.  We  consider  two  applications  of  cryptographic  Boolean  functions  in  stream 
ciphers:  a  nonlinear  filter  and  a  nonlinear  combiner.  In  the  nonlinear  filter  setup,  an  LFSR 
and  a  cryptographic  Boolean  function  as  a  nonlinear  filter  can  generate  a  secret-key  stream. 
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X\ 

x2 

^3 

x4 

Output 

X\ 

x2 

x3 

x4 

Output 

0 

1 

0 

1 

1 

0 

0 
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1 

1 

1 

0 

1 
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1 

1 

0 

0 

0 

1 

1 

1 

0 

1 

0 

1 

1 

0 

0 

1 

0 

1 

1 

0 

0 

1 

1 

1 

0 

1 

0 

0 

1 

1 

1 

1 

1 

1 

1 

0 

1 

0 

0 

1 

0 

0 

1 

1 

1 

1 

0 

1 

0 

0 

0 

1 

0 

1 

1 

0 

0 

0 

1 

0 

0 

0 

1 

0 

1 

1 

Table  2.7:  Bit  Stream  Generated  by  LFSR  of  x4  =  x4®  x4  with  Initial  Vector  0101 

As  the  LFSR  shifts  through  the  states,  the  nonlinear  filter  processes  n  variables  from  each 
state  and  outputs  a  key  bit.  Table  2.2  illustrates  this  process. 


LFSR  of  Length  n 

> 

Nonlineai 

Functi< 

'  Boolean 

Dn  f(Xj 

y 

Keystream 

Figure  2.2:  Nonlinear  Filter 

Turing  is  a  stream  cipher  developed  for  CDMA  (Code  Division  Multiple  Access), 
which  is  a  wireless  communication  protocol  developed  by  Qualcomm  [12].  Turing  gener¬ 
ates  160  bits  of  output  in  each  round  by  applying  a  nonlinear  filter  to  the  internal  state  of 
an  LFSR  [13].  In  the  nonlinear  combiner  setup,  an  n  variable  Boolean  function  with  good 
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cryptographic  properties  takes  n  output  bits,  each  from  n  distinct  LFSRs,  and  outputs  a 
secret  stream  bit.  Figure  2.3  illustrates  a  nonlinear  combiner  of  n  LFSRs.  An  example  for 
this  setup  is  A5/2,  which  is  the  stream  cipher  used  to  encrypt  voice  transmissions  in  the 
GSM  cellular  telephone  network.  A5/2  is  based  on  four  LFSRs  and  a  nonlinear  combiner. 


Nonlinear 
Boolean  Function 
of  n  Variables 


Keystream 


Figure  2.3:  Nonlinear  Combiner 

2.2.3.  Hash  Functions 

Some  secure  communications  protocols  and  asymmetric  ciphers  use  hash  functions 
to  ensure  authenticity,  integrity,  and  nonrepudiation  of  a  message.  A  hashing  function  can 
be  integrated  into  a  secure  communication  system  to  detect  an  unauthorized  modification  or 
tampering.  Secure  email  systems  can  employ  a  digital-signature  scheme  that  uses  hashing 
functions  to  ensure  the  reliability  of  a  message.  Since  a  hashing  function  does  not  require  a 
decryption  or  recovery  of  the  original  message,  in  a  software -based  implementation  we  can 
use  a  fast  Boolean  function  with  good  cryptographic  properties.  Some  candidates  for  this 
purpose  are  symmetric  and  rotation- symmetric  Boolean  functions,  since  we  can  evaluate 
them  faster  due  to  their  simple  structures.  A  Boolean  function  is  symmetric  if  vectors  with 


21 


X 

0000 

0001 

0010 

0011 

0100 

0101 

0110 

0111 

/(x):  Symmetric 

0 

1 

1 

0 

1 

0 

0 

1 

g(x):  RSBF 

1 

1 

1 

0 

1 

1 

0 

1 

X 

1000 

1001 

1010 

1011 

1100 

1101 

1110 

mi 

/(x):  Symmetric 

1 

0 

0 

1 

0 

1 

1 

0 

g(x):  RSBF 

1 

0 

1 

1 

0 

1 

1 

1 

Table  2.8:  Comparison  of  a  Symmetric  and  Rotation- Symmetric  Boolean  Function 


the  same  Hamming  weight  have  the  same  function  value.  A  Boolean  function  is  rotation 
symmetric  if  the  function  renders  the  same  function  value  for  an  input  vector  and  its  rotation 
equivalents. 

Table  2.8  illustrates  the  symmetric  and  rotation-symmetric  functions.  The  function 
/(x)  is  symmetric,  since  has  the  same  function  values  for  the  vectors  with  each  Hamming 
weight.  The  function  g(x)  is  rotation  symmetric,  since  each  vector  and  its  rotation  equiva¬ 
lents  have  the  same  function  values.  We  note  that  if  a  function  is  symmetric,  then  it  is  also 
rotation  symmetric.  However,  the  converse  of  the  previous  statement  is  not  true,  since  a 
rotation  equivalent  of  a  vector  with  a  Hamming  weight  k  and  a  non-rotation  equivalent  of 
the  vector  with  the  same  Hamming  weight  may  have  different  function  values  in  a  rotation- 
symmetric  function.  We  give  a  proper  definition  of  rotation- symmetric  Boolean  functions 
and  their  properties  in  the  next  chapter. 

2.3.  CRYPTOGRAPHIC  CHARACTERISTICS  OF  BOOLEAN  FUNCTIONS 

In  [14],  Shannon  establishes  two  important  principles  in  designing  a  cipher:  confu¬ 
sion  and  diffusion.  He  introduces  the  principle  of  confusion  to  ensure  that  the  relationship 
between  the  ciphertext  and  the  encryption  or  decryption  key  is  complex  and  complicated 
as  possible,  and  the  principle  of  diffusion  to  ensure  the  plaintexts  are  dissipated  into  the 
space  of  ciphertext.  Most  cryptographic  characteristics  discussed  here  are  well  studied  and 
address  Shannon’s  confusion  and  diffusion  principles  in  a  cipher.  We  review  some  well- 
studied  characteristics  and  outline  significance  of  the  corresponding  property. 
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2.3.1. 


Balancedness 


A  Boolean  function  /  G  Bn  is  balanced  if  the  truth  table  of  /  has  2n~1  zeros  and 
2n_1  ones.  We  observe  that  if  /  is  balanced  wt(f )  =  2n~1.  A  balanced  Boolean  function 
counters  statistics-based  attacks  and  correlation  attacks.  We  can  measure  how  close  the 
Boolean  function  is  to  a  balanced  one  by  the  following  measure. 

Definition  2.3.1.  [15]  The  imbalance  of  Boolean  function  If  is  defined  as  follows 


J/  =  Z^(x)- 

xeFg 

The  correlation  between  /(x)  and  the  constant  function  /(x)  =  0  or  1  is  —1  <  <  1. 

A  balanced  function  /  has  zero  correlation  to  a  constant  function,  since  If  —  0.  The 
balancedness  can  be  checked  by  the  Walsh-Hadamard  transform  as  shown  in  the  lemma 
below. 


Lemma  2.3.2.  A  Boolean  function  f  is  balanced  if  and  only  ifWf( 0)  =  0. 


2.3.2.  Algebraic  Degree 

3= 2" 

Consider  a  Boolean  function  in  ANF,  /(x)  =  0  cj  ■  xfxf2  ■  ■  ■  x®n  as  in  Defi- 

aeF£ 
i= i 


nition  2.1.11.  The  algebraic  degree  of  /(x)  is  the  largest  number  of  variables  in  a  term 
Cj  ■  x\'  x'f  ■  ■  ■  xf"  with  a,i  —  Cj  —  1  with  i  =  1, 2, ...  n.  We  denote  the  algebraic  degree  of 
/  G  Bn  as  deg (/).  Using  interpolation  cryptanalysis  [16]  and  high-order  differential  crypt¬ 
analysis  [17],  a  cryptanalyst  can  carry  out  an  effective  attack  on  some  ciphers  employing 
low-degree  Boolean  functions. 


2.3.3.  Nonlinearity 

The  use  of  affine  Boolean  functions  in  a  cipher  is  undesirable,  due  to  the  simple 
algebraic  structure  of  affine  functions.  We  want  to  use  Boolean  functions  that  are  far  away 
from  an  affine  function,  which  gives  us  the  following  measure. 
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Definition  2.3.3.  [4,  p.  7]  Let  An  be  a  set  of  all  affine  Boolean  functions  of  n  variables.  The 
nonlinearity  of  a  Boolean  function,  denoted  by  nl(f)  is  the  minimum  Hamming  distance 
between  /  and  any  function  in  An. 

Theorem  2.3.4.  [4,  p.  13]  For  f  e  Bn, 

Iii(/)=2"-1-imax|iy/(u)|, 

The  following  upper  limit  for  the  nonlinearity  is  well  known  (see  Seberry  and  Zhang 

[18]). 

Theorem  2.3.5.  [18]  For  f  e  Bn, 


nl(f)  <  2n_1  -  2n/2_1. 

We  observe  that  2”/2- 1  in  Theorem  2.3.5  is  not  an  integer  if  n  is  odd.  If  n  is  even, 
we  have  a  special  family  of  functions,  called  bent  functions,  that  achieve  the  nonlinearity 
bound. 

Definition  2.3.6.  Let  /  e  Bn  and  n  be  even.  Then  /  is  a  bent  function  if 

nl(f)  <  2n~1  -  2n/2_1. 

If  n  is  odd  with  n  —  2k  +  1,  k  —  0,  1,2,.. .,  the  bent  concatenation  bound  is  defined  as 

cflk  _  c^k, 

It  is  known  that  the  algebraic  degree  of  a  bent  function  is  bounded  above  by  |  [4, 
p.  80].  The  r -order  nonlinearity,  denoted  by  nlr(f),  is  its  distance  from  the  set  of  all  n 
variable  functions  of  algebraic  degrees  at  most  r.  A  Boolean  function  needs  to  have  higher 
r-order  nonlinearity  to  resist  a  fast  algebraic  attack  [19].  We  can  also  devise  a  statistical 
measure  using  nonlinearity. 
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Definition  2.3.7.  Given  a  Boolean  function  /,  the  bias  of  nonlinearity  for  /,  denoted  by 

e(/)  is 


The  fast  correlation  attack  on  /  has  an  on-line  complexity  proportional  to  Q ) "  [20] . 

2.3.4.  Avalanche  and  Propagation  Criteria 

2. 3.4.1.  Strict  Avalanche  Criterion  (SAC) 

The  strict  avalanche  criterion  is  one  of  the  cryptographic  characteristics  that 
cover  the  diffusion  principle.  The  main  point  is  that  when  we  change  an  element  of  the 
input  vector,  we  want  the  effect  of  the  change  equally  distributed  throughout  the  truth 
table.  This  idea  was  first  introduced  by  Webster  and  Tavares  in  [21].  Given  /(x)  e  Bn 
and  an  input  x  =  (x\x2,  ■  ■  ■  ,xn),  if  we  select  an  xk  in  x  with  1  <  k  <  n,  then  we 

can  envision  the  domain  as  two  equivalence  classes,  A  =  {(aq, . . . ,  xn)\xk  =  0}  and 

B  =  {(aq, . . .  ,xn)\xk  =  1}-  We  note  that  there  are  2n_1  unique  pairs  (x, y)  with  x  e  A 
and  y  e  B  such  that  xt  =  yt  with  i  =  1,  2, ...  n  except  for  when  i  —  k.  Without  loss  of 
generality,  assume  xk  =  0.  As  xk  changes  from  0  to  1,  some  pairs  have  the  same  function 
values  (are  not  affected  by  the  change),  and  the  others  have  their  function  values  changed 
from  0  to  1  or  1  to  0.  The  Boolean  function  /  satisfies  the  SAC,  if  exactly  half  of  the  pairs 
change  their  function  values  for  all  k. 

Example  2.3.8.  [4,  p.  25]  In  Table  2.9,  if  we  fix  x2  =  0,  we  have  /(000)  =  1,  /( 001)  =  1, 
/( 100)  =  0,  and  /(101)  =  1.  When  x2  becomes  1,  we  have  /(010)  =  1,  /(Oil)  =  0, 

/(110)  =  1,  and  /(111)  =  1.  We  observe  that  as  x2  changes  from  0  to  1,  /(0aq0)  and 

/( lx2l)  do  not  change,  but  /(Oaql)  and  f(lx20)  change.  We  can  check  aq  and  x2  in  a 
similar  manner  and  observe  the  same  result.  Therefore,  /  satisfies  the  SAC. 

The  next  lemma  is  a  well-known  equivalent  statement  to  the  definition  of 

the  SAC. 
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X 

000 

001 

010 

Oil 

100 

101 

110 

111 

/(x) 

1 

1 

1 

0 

0 

1 

1 

1 

Table  2.9:  A  3-variable  Function  Which  Satisfies  the  SAC 


Lemma  2.3.9.  [21]  A  Boolean  function  f  satisfies  the  SAC  if  and  only  ifCf(  w)  =  0  for  all 
wt( w)  =  1  where  w  =  (w±,W2, . . . ,  tcn)  and  1  <  i  <  n. 

Using  Lemma  2.3.9,  we  can  develop  a  computational  tool  to  verify  if  a 
Boolean  function  satisfies  the  SAC. 

2. 3. 4. 2.  Propagation  Criteria 

The  concept  of  the  propagation  criterion  generalizes  the  SAC.  Preneel  et  al. 
[22]  first  introduced  this  idea. 

Definition  2.3.10.  [4,  p.  38]  A  Boolean  function  /  satisfies  the  propagation  criterion  of 
degree  k  or  PC (k)  if  changing  the  value  of  any  i  elements  of  the  input  vector  with  1  <i< 
k  <  n  changes  exactly  the  half  of  the  function  values  of  the  affected  vectors. 

We  can  extend  Lemma  2.3.9  to  cover  the  PC{k )  functions. 

Lemma  2.3.11.  A  Boolean  function  f  satisfies  PC(k)  if  and  only  if  Cj{ w)  =  0  for  all 
wt( w)  =  m  where  w  =  (wi,  tc2,  •  •  • ,  wn)  and  1  <  m  <  k. 

2.3.5.  Global  Avalanche  Criterion  (GAC) 

In  [9],  Zhang  and  Zheng  first  introduced  the  concept  of  GAC.  They  noted  that  the 
functions  with  SAC  provide  some  level  of  security,  but  the  SAC  is  only  “local”  and  does 
not  cover  all  possible  linear  structures  in  a  Boolean  function.  PC{k )  on  the  other  hand 
covers  all  possibilities.  It  seems  that  a  large  k  implies  better  security.  However,  when  k 
is  even  and  k  =  n,  the  function  is  a  bent  function.  Despite  the  highest  nonlinearity,  a 
bent  function  is  not  balanced.  To  address  these  issues,  they  introduced  GAC,  in  which  we 
measure  the  avalanche  effects  throughout  all  possible  n-variable  Boolean  vectors  using  the 
two  measures  below. 
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Definition  2.3.12.  [9]  Given  a  Boolean  function  /(x),  the  sum- of- squares  indicator  for  the 
avalanche  characteristic  of  /(x)  is 


Of  =  J2c}(a), 

and  the  absolute  indicator  for  the  characteristic  is 


where  Cf(a) 


(_ i)/(x)©/(x®°'). 

xSFJ 


Some  cryptographic  properties  conflict  with  one  another.  In  this  case  we  see  three 
conflicting  properties,  namely  balance,  nonlinearity,  and  propagation  criteria.  The  GAC 
provides  us  with  two  general  measures  that  we  can  minimize. 


2.3.6.  Correlation  Immunity  and  Resilience 

Given  some  Boolean  function  values  /(x),  an  attacker  may  guess  the  relationship 
between  the  elements  of  input,  Xi  of  x  =  (x\,  x2, . . .  xn)  and  /(x).  Therefore,  we  want  to 
engineer  a  principle  into  our  function  to  deal  with  this  kind  of  situation.  Siegenthaler  [23] 
first  conceived  the  notion  of  correlation  immunity  to  address  this  issue. 

Definition  2.3.13.  [4,  p.  49]  Let  xc\,  xc2: . . .  xci  of  x  =  (xi,x2\  ■  ■  ■  xn)  be  any  i  variables 
with  i  <  k  of  input  x.  A  Boolean  function  /(x)  e  Bn  has  correlation  immunity  of  order 
k,  denoted  by  CI(k),  if  given  /(x),  the  probability  of  x&,  xc2i, . . .  xci  being  certain  value 
is  2~l.  In  other  words,  /(x)  is  statistically  independent  with  respect  to  any  subset  of  k 
variables.  In  particular,  /(x)  is  called  a  resilient  function  of  order  k  if  it  is  CI(k )  and 
balanced. 


Example  2.3.14.  The  Boolean  function  in  the  Table  2.10  has  C7(  1).  For  example,  if 
/(x)  =  0  and  Xi  —  Xi,  we  can  compute  the  conditional  probability  with  xt  =  0, 
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Pr(x  i  =  0|/(x)  =  0) 


Pr(x i  =  Ofl  /(x)  =  0) 
Pr(/(x)  =  0) 


3/8 

6/8 

1 

2 

the  conditional  probability  with  x^  =  1, 


Pr(xi  =  1 1  f  (x)  =  0) 


Pr{x i  =  in  /(x)  =  0) 
Pr(/(x)  =  0) 


3/8 

6/8 


1 

2' 


The  same  procedures  can  check  for  Xi  =  a: 2,  a:' 3  to  conclude  that  the  function  has 
67  (Tj.  However,  we  observe  that 
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Pr(xi  =  1,X2  =  l|/(x)  =  0)  = 


7^ 


Pr(x  i  =  l  n  i2  =  l  n  /(x)  =  o) 
Pr(/(x)  =  0) 

1/8 

6/8 

1 

6 

1 

4' 


Therefore,  /(x)  does  not  have  67(2). 


X 

000 

001 

010 

Oil 

100 

101 

110 

111 

/(x) 

0 

0 

0 

1 

1 

0 

0 

0 

Table  2.10:  A  three-variable  function  with  0(1) 


There  is  an  efficient  way  to  verify  Cl  using  the  Walsh-Hadamard  transform. 
Lemma  2.3.15.  [4,  p.  50]  Let  f  e  Bn.  CI(f )  =  k  with  1  <  k  <  n  if  and  only  if 


Wf{  w)  =  ^(-1)/W®wx  =  0 

x£Fj 

for  all  w  where  1  <  wt( w)  <  k. 

2.3.7.  Algebraic  Immunity 

For  decades,  linearization  and  some  of  its  variations  have  been  used  to  attack  a 
stream  cipher  employing  a  Boolean  function.  They  typically  use  Gaussian  elimination  as  a 
core  algorithm.  By  choosing  a  Boolean  function  with  a  high  degree,  we  can  substantially 
increase  the  computing  resources  needed  to  carry  out  an  attack,  which  renders  linearization 
useless  as  a  practical  technique  to  solve  a  stream  cipher.  However,  a  new  class  of  attack 
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was  introduced  in  2003.  It  was  shown  that  if  a  stream  cipher  employs  a  Boolean  function 
/  or  /  ©  1  with  a  low-degree  function  such  that  fg  =  0  or  (/  ©  1  )g  =  0,  the  cipher  can  be 
methodically  solved  by  the  algebraic  attack  discussed  in  [24]  and  [25]. 

Definition  2.3.16.  For  any  /  e  Bn,  a  nonzero  function  g  e  Bn  is  called  an  annihilator  of 
f  if  fg  =  0,  and  the  algebraic  immunity  of  /,  denoted  by  AI(f),  is  the  minimum  value  of 
d  such  that  /  or  /  ©  1  admits  an  annihilator  of  degree  d  [26]. 

The  following  two  cases  are  algebraic  attack  possibilities  [24]. 

Case  1 :  Assume  that  there  exists  a  function  g  of  low  algebraic  degree  such  that 
fg  =  h,  where  h  is  a  nontrivial  function  with  low  algebraic  degree. 

Case  2:  Assume  that  there  exists  a  function  g  of  low  algebraic  degree  such  that 
fg  =  0.  In  2003,  Courtois  and  Meier  showed  that  the  algebraic  immunity  of  an  n  variable 
Boolean  function  is  bounded  above  by  [|] . 

Remark  2.3.17.  [27]  While  algebraic  immunity  is  an  important  cryptographic  property,  it 
is  not  enough  to  resist  fast  algebraic  attacks,  a  more  efficient  form  of  algebraic  attacks.  If 
we  can  find  g  of  low  degree  and  h  of  algebraic  degree  not  much  larger  than  n/2,  such  that 
fg  =  h,  then  /  is  susceptible  to  fast  algebraic  attacks  [24],  [28]. 

2.3.8.  Normality 

The  normality  was  first  discussed  by  Dobbertin  while  examining  bent  functions 
in  [29].  Since  the  number  of  variables  in  a  bent  function  is  even,  the  initial  focus  was 
on  the  even  variable  functions,  which  are  invariant  with  respect  to  the  vectors  in  a  flat. 

Dobbertin  called  a  Boolean  function  of  even  variables  “normal”  if  it  is  invariant  on  a  flat  of 

n 

the  dimension  — .  Later  this  concept  was  generalized  for  odd  variable  functions  invariant  in 

Tl 

a  flat  of  dimension  [— ] .  Dobbertin  conjectured  that  all  bent  functions  are  normal.  However, 
some  non-normal  bent  functions  were  discovered  by  Canteaut  el  al.  [30],  and  the  notion 
of  normality  became  an  independent  measure  for  general  Boolean  functions.  Later,  it  was 
shown  that  there  are  very  few  normal  functions,  and  the  definition  below  was  established 
by  Carlet  [31]. 
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Definition  2.3.18.  A  Boolean  function  /  e  Bn  is  called  k-normal  if  there  exist  a  k  dimen- 

77/ 

sional  flat  G  such  that  /  is  constant.  We  denote  such  condition  as  /  \g—  0  or  1.  If  k  =  \—~\ , 
f  is  simply  called  a  normal  function. 

General  information  on  the  normality  can  be  found  in  [32]. 

2.4.  TRADEOFFS  BETWEEN  CRYPTOGRAPHIC  PROPERTIES 

Unfortunately,  composing  or  finding  good  cryptographic  Boolean  functions  has  a 
few  obstacles,  since  there  are  some  cryptographic  properties  that  we  cannot  optimize  si¬ 
multaneously.  We  present  common  dilemmas  among  cryptographic  properties  with  the 
relevant  theorems. 

2.4.1.  Correlation  Immunity  and  Degree 

In  1984,  Siegenthaler  [23]  showed  that  there  is  a  necessary  tradeoff  between  achiev¬ 
ing  high-degree  and  high-correlation  immunity. 

Theorem  2.4.1.  [23,  Theorem  1]  If  a  Boolean  function  f  is  CI(k),  then  the  degree  of  f  is 
at  most  n  —  k.  If  f  is  CI(k)  with  k  <  n  —  1  and  balanced,  then  the  degree  of  f  is  at  most 
n  —  k  —  1. 

2.4.2.  Correlation  Immunity  and  Nonlinearity 

Theorem  2.4.2  illustrates  the  tradeoff  between  correlation  immunity  and  nonlinear¬ 
ity  of  Boolean  functions. 

Theorem  2.4.2.  [33]  If  a  Boolean  function  f  is  CI(k)  with  k  <  n  —  2, 

nl(f)  <  271-1  -  2k+1. 

We  can  combine  Theorems  2.4.1  and  2.4.2  and  obtain  the  following  theorems. 

Theorem  2.4.3.  [4,  p.  71]  If  f  is  balanced  and  CI(k)  with  k  <  n  —  2,  then  equality  is 
possible  in  Theorem  2.4.2  only  if  f  has  its  maximum  possible  degree  n  —  k  —  1. 
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Ifdeg(f)  <  n  —  k  —  1,  then 


nl(f)  <  2n_1  -  2k+2. 

The  following  theorem  by  Carlet  improves  Theorem  2.4.3  to  incorporate  the  degree 
of  the  function  in  the  upperbound  [4,  p.  72]. 

Theorem  2.4.4.  [34]  If  a  balanced  Boolean  function  f  with  degree  d  is  CI(k)  with  k  < 
n  —  2,  then 


nl(f)  <  2n~1  —  2k+1+^n~k~2^dK 

2.4.3.  Algebraic  Immunity  and  Nonlinearity 

The  following  theorem  describes  the  limit  (commonly  called  “Lobanov’s  bound”). 
The  theorem  implies  that  we  can  increase  the  algebraic  immunity  of  a  function  along  with 
the  nonlinearity,  but  at  the  expense  of  decreasing  the  correlation  immunity  due  to  Theorem 
2.4.2. 

Theorem  2.4.5.  [35]  Iff  G  Bn  has  algebraic  immunity  k, 


k—2 


nl(f)  >2 


i= 0 


n  —  1 
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3.  AFFINE  EQUIVALENCE  OF  MONOMIAL 
ROTATION-SYMMETRIC  BOOLEAN  FUNCTIONS 

3.1.  INTRODUCTION 

In  this  chapter,  we  study  the  affine  equivalence  of  monomial  rotation-symmetric 
(MRS)  Boolean  functions.  A  general  affine  equivalence  problem  for  Boolean  functions  is 
a  complete  partitioning  of  the  n- variable  Boolean  function  space  based  on  an  affine  equiv¬ 
alence  relation.  A  greedy  algorithm  for  affine  equivalence  verification  requires  checking 
all  elements  of  GLn{ F2),  and  has  computational  complexity  0(2"“).  This  implies  that 
if  n  >  7,  the  problem  becomes  quite  a  challenge  for  current  computing  platforms.  The 
first  notable  effort  to  solve  an  affine  equivalence  problem  is  found  in  [36],  published  in 
1964.  Berlekamp  and  Welch  [37]  in  1972  found  all  equivalence  classes  for  all  five  vari¬ 
able  Boolean  functions.  In  1991,  Maiorana  [38]  computed  150,357  equivalence  classes 
of  six  variable  Boolean  functions.  Due  to  its  complexity  and  size,  affine  equivalence  still 
remains  a  tough  problem  to  deal  with,  especially  for  a  general  solution,  which  addresses 
any  n  e  N.  Besides  the  pure  mathematical  perspective,  an  affine  equivalence  can  be  ap¬ 
plied  to  cryptanalysis  and  cryptographic  engineering.  For  example,  differential  and  linear 
cryptanalyses  are  two  major  techniques  to  solve  the  S'-boxes  of  block  ciphers.  If  an  S- 
box  is  vulnerable  to  differential  or  linear  cryptanalysis,  so  are  the  ,5'- boxes  realizing  affine 
equivalence  functions.  This  fact  simplifies  the  tasks  of  cryptanalysts,  since  they  just  need 
to  choose  and  analyze  an  (easy)  representative  of  an  equivalence  class.  On  the  other  hand, 
the  cryptographic  engineers  may  take  advantage  of  affine  equivalent  S- boxes  of  a  S'-box 
that  is  strongly  resistant  to  these  attacks,  since  affine  transformations  have  small  delays  and 
preserve  much  of  the  cryptographic  properties  of  the  original  function. 

A  rotation- symmetric  Boolean  function  (RSBF)  is  invariant  under  the  rotation  or 
circular  shift  of  a  input.  For  example,  if  /  e  £>3  is  rotation  symmetric,  then  /(001)  = 
/( 010)  =  /(TOO),  /(Oil)  =  /(101)  =  /(110),  and  so  on.  Since  an  RSBF  uses  re- 
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n 

Number  of  Classes 

1 

1 

2 

2 

3 

3 

4 

8 

5 

48 

6 

150,357 

Table  3.1:  Affine  Equivalence  Classes  in  Bn 


peated  function  values,  it  is  relatively  fast.  However,  despite  being  seemingly  simple  func¬ 
tions  to  evaluate,  the  class  of  RSBFs  contain  many  functions  richly  endowed  with  good 
cryptographic  properties.  For  example,  the  famous  Patterson-Wiedemann  function  in  B15 
[39]  that  achieves  nonlinearity  16276,  which  is  strictly  greater  than  the  bent  concatenation 
bound,  215-1  —  2(15-1^2  =  16256  is  rotation  symmetric  [4,  p.  112].  Moreover,  Kavut  et 
al.  [40],  [41],  [42]  proved  that  there  exist  rotation-symmetric  functions  of  nine  variables 
with  the  nonlinearity  241  and  242,  which  is  also  strictly  greater  than  the  bent  concatenation 
bound  29-1  —  2^9-1^2  =  240  [4,  p.  112].  Due  to  their  speed  and  the  prospect  of  being 
good  cryptographic  Boolean  functions,  RSBFs  have  received  a  lot  of  attention  from  cryp¬ 
tographic  researchers.  In  [43],  Filiol  and  Fontaine  initially  studied  cryptographic  properties 
of  RSBFs  (they  used  the  term,  “idempotent”  function  instead  of  RSBF),  mainly  focusing 
on  nonlinearity  [4,  p.  112].  Eater,  the  nonlinearity  and  correlation  immunity  of  RSBFs 
were  studied  thoroughly  in  [44],  [45],  [46],  [47],  and  [48].  The  RSBF’s  speed  and  poten¬ 
tial  to  have  good  cryptographic  properties  make  them  suitable  for  such  an  application  as 
hashing  algorithms.  Pieprzyk  and  Qu  studied  the  use  of  RSBFs  in  a  hashing  algorithm  in 
[3].  We  note  the  papers  [49]  and  [50]  dealing  with  algebraic  immunity  of  RSBF.  The  class 
of  RSBFs  are  interesting  to  apply  the  notion  of  affine  equivalence  into,  as  the  function 
space  is  much  smaller  («  2  ••  )  than  the  total  space  of  Boolean  functions  (22”),  and  the 
set  contains  functions  with  very  good  cryptographic  properties.  It  has  been  experimentally 
demonstrated  that  there  are  RSBFs  that  are  simultaneously  good  in  terms  of  balancedness, 
nonlinearity,  correlation  immunity,  algebraic  degree,  and  algebraic  immunity. 
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There  has  been  consistent  effort  to  investigate  the  affine  equivalence  of  RSBFs. 
Some  recent  efforts  include  [51],  [52],  [53],  [54],  and  [55].  In  this  chapter,  we  focus  on  a 
type  of  affine  equivalence  named  “S -equivalence”  applied  to  monomial  rotation-symmetric 
(MRS)  functions.  The  material  in  this  chapter  is  based  on  Chung  and  Stanica  [56]. 

3.2.  AFFINE  EQUIVALENCE  OF  BOOLEAN  FUNCTIONS 

Definition  3.2.1.  We  say  that  /,  g  <G  Bn  are  affine  equivalent  if  there  exists  an  n  x  n 
invertible  matrix  A  over  the  finite  field  F2,  the  vectors  b,  c  E  and  d  e  F2  such  that 
g(x)  =  /(xA  ©  b)  ©  c  •  x  ©  d. 

Some  researchers  prefer  a  simplified  version  of  equivalence  where  c  =  0  and  d  —  0. 

Definition  3.2.2.  [55]  We  say  that  two  Boolean  functions  /(x)  and  ry(x)  in  Bn  are  equiva¬ 
lent  under  an  affine  transformation  if  gfx)  =  /(xA  ©  b),  where  A  is  an  n  x  n  nonsingular 
matrix  over  the  finite  field  F2  and  b  is  an  n-dimensional  vector  over  F2.  We  say  /(xA  ©  b) 
is  a  nonsingular  affine  transformation  of  /(x). 

In  this  thesis,  we  focus  on  a  type  of  affine  equivalence  where  b  =  0,  c  =  0,  d  =  0, 
and  A  is  permutation  matrix.  We  will  define  this  notion  called  “S -equivalence”  in  a  later 
section. 

Example  3.2.3.  Consider  the  following  five  variable  Boolean  functions, 
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/  =  XiX2  ©  x3x4x5 


fl  =  X\X2  ©  X3X4X5  ©  Xi  ©  x3 


f2  =  x4x2  ©  x3x4x5  ©  x2  ©  x3  ©  x5  ©  1 


f3  =  X3X4  ©  X4X2X5  ©  Xi  ©  x3  ©  1 


f4  =  {x4  ©  l)x3  ©  x4x2(x5  ©  1)  ©  Xi  ©  x3  ©  1 


=  X3x4  ©  X4X2X5  ©  X\X2  ©  Xi  ©  1 


We  see  that  /1  =  /  ©  c  •  x,  where  c  =  (1,  0, 1,  0,  0).  f2  =  /  ©  c  •  x  ©  d,  where 
c  =  (0, 1, 1,  0, 1)  and  d  —  1.  f3  —  /(xA)  ©  c  •  x  ©  d,  where 


A 


^  0  0  0  0  1  ^ 

0  0  10  0 

0  10  0  0 

1  0  0  0  0 

v  0  0  0  1  0  y 


c  =  (1,  0, 1,  0,  0),  and  d  —  1.  f4  —  /(xA  ©  b)  ©  c  ■  x  ©  d,  where  A,  c,  and  d  are  same  as 
f3  with  b  =  (1,0,0, 1,0). 


Essentially,  a  permutation  transformation  rearranges  the  order  of  input,  which  pre¬ 
serves  the  Hamming  weight  of  the  truth  table.  Clearly,  if  /  and  g  are  equivalent  under 
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affine  transformation,  then  wt(f)  =  wt(g)  and  nl(f)  =  nl(g).  However,  the  sufficiency 
only  holds  for  quadratic  Boolean  functions. 

Theorem  3.2.4.  [56]  Two  quadratic  functions  f  and  g  in  Bn  are  equivalent  under  affine 
transformation  if  and  only  ifwt(f)  =  wt(g)  andnl(f)  =  nl(g). 

Unfortunately,  the  result  cannot  be  extended  to  higher  degrees.  In  S-equivalence, 
we  obtain  a  similar  result  for  degrees  >  2.  If  two  functions  /  and  g  in  Bn  are  S-equivalent, 
then  wt(f)  =  wt(g )  and  nl(f)  =  nl(g).  The  converse  of  the  statement  does  not  hold.  We 
can  still  use  the  result  to  show  non-equivalence  in  many  cases. 

3.3.  ROTATION-SYMMETRIC  BOOLEAN  FUNCTIONS 

Definition  3.3.1.  Let  Xi  e  F2  for  1  <  i  <  n.  For  1  <  k  <  n,  we  define  the  permutation  pkn 

on  (xi,  x2,  ■  ■  ■ ,  xn)  G  Ff  such  that 

Pn((x  1,X2,..  .,Xn-!,Xn))  =  (pkn(x  i),  p*  (x2),  ■  •  •  ,  Pn(Xn-l ) ,  PnM  ) , 


where 


Pn(xi)  =  xi+k  if*  +  k  <  n 


and 


Pn(xi)  =  Xi+k-nffi  +  k>  n. 

Hence,  pkn  acts  as  A'-cyclic  rotation  on  an  n-bit  vector. 

Based  on  the  permutation  in  Definition  3.3.1,  we  define  the  RSBF. 
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Definition  3.3.2.  A  Boolean  function  /  is  called  rotation  symmetric  if,  for  each  vector 

(xi,..  .,xn)  in  FJJ, 


f{pn(x i,  •  •  • ,  xn))  =  f(x i, . . . ,  xn),  for  1  <  k  <  n. 

Definition  3.3.2  implies  that  the  rotation- symmetric  Boolean  functions  (RSBFs) 
are  invariant  under  a  cyclic  rotation  of  input  vectors.  Clearly,  the  input  vectors  in  a  rotation 
class  are  in  a  equivalence  relation.  Therefore,  the  inputs  of  a  rotation- symmetric  Boolean 
function  can  be  divided  into  partitions  so  that  each  partition  consists  of  all  cyclic  shifts  of 
one  input.  A  partition  is  generated  by  say  Gn(x i,  x2,  •  •  • ,  xn)  =  {pk(x i,  x2,  ■ . . ,  xn)\l  < 
k  <  n},  and  we  denote  the  number  of  such  partitions  gn.  By  the  product  rule  of  combi¬ 
natorics,  the  number  of  n- variable  RSBFs  is  29n.  Let  oik)  be  Euler’s  p/u-function.  Then, 
from  Burnside’s  lemma  [48], 


9n  =  ~^2<l>(k)  2k. 

k\n 

Let  gn>w  denote  the  number  of  partitions  with  w,  the  common  weight  of  the  vectors  in  par¬ 
tition.  The  papers  [45],  [47],  and  [48]  address  the  formula  on  how  to  calculate  gn>w  for 
arbitrary  n  and  w.  It  is  also  noteworthy  that  Zhang  and  Deng  [57]  corrected  the  enumera¬ 
tion  of  Gn(x i,  x2,  ■  ■  ■ ,  xn)  such  that  \Gn(x i,x2, . . . ,  xn)  —  n  in  [48]  and  generalized  the 
enumeration  for  \Gn(x\,x2, . . . ,  xn) \  =  r  where  r  |  n. 

Definition  3.3.3.  Let 


Gn(x i, . . .  ,xn)  =  {Pn(xi, . .  .,xn),  for  1  <  k  <  n}, 

be  the  orbit  of  (xi, . . . ,  xn)  under  the  action  of  pkn,  1  <  k  <  n.  It  is  clear  that  Gn(x i, . . . ,  xn) 
generates  a  partition  in  the  set  F£.  A  rotation-symmetric  function  f(x i, . . . ,  xn)  can  be 
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written  (for  short)  as 


a0  ©  aiXi  ©  ^  aijXiXj  ©  •  •  •  ©  di2...nXiX2  ■  ■  ■  xn  ( SANF ), 


where  the  coefficients  a0,  ai,  a\v  . . . ,  di2...n  G  (0, 1},  and  the  existence  of  a  representative 
term  x\xi2 . . .  xit  implies  the  existence  of  all  the  terms  from  Gn(x \xi2  . .  .Xil)  in  the  ANF. 
We  call  this  representation  of  /  the  short  algebraic  normal  form  (SANF)  of  /. 

Remark  3.3.4.  We  note  that  the  SANF  is  not  unique,  since  one  can  choose  any  represen¬ 
tative  in  Gn(xixi2 . . .  xit). 

Example  3.3.5.  5-variable  RSBFs  /  and  g  are  shown  in  ANF  and  SANF  below. 


/(x)  =  Xl{SANF) 


=  X\  ©  x2  ©  x3  ©  x4  ©  x5 


g(x)  =  X!  ©  Xlx2x5(SANF) 


=  x1  ©  X2  ©  X3  ©  X4  ©  X5  ©  XiX2X5  ©  •  •  •  ©  X5XiX4 


If  the  SANF  of  a  RSBF  contains  only  one  term,  we  call  such  a  function  a  monomial 
rotation- symmetric  (MRS)  function.  A  simple  number  theoretic  deduction  gives  us  that  the 
ANF  of  a  monomial  rotation-symmetric  function  contains  a  divisor  of  n  number  of  terms. 
If  that  divisor  is  in  fact  n,  we  call  the  function  a  full-cycle  MRS,  otherwise,  a  short-cycle 
MRS. 
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Example  3.3.6.  6-variable  RSBF  /(x)  =  x1x2(SANF )  is  a  full-cycle  MRS  function,  and 
g(x)  =  x\Xi(SAN F)  are  short-cycle  MRS  function,  as  shown  below. 

f(x)  =  X1X2  ©  X2X3  ©  X3X4  ©  X4X5  ©  X5X6  ©  XqXi 


g(x)  =  X1X4  ©  x2x5  ©  x3xe 

3.4.  CIRCULANT  MATRICES 


One  of  the  interesting  matrices  in  linear  algebra  is  a  Toeplitz  matrix.  An  n  x  n 
Toeplitz  matrix  A  =  {a,ij}  has  a  form 


«1 

a2 

a  3 

®n+ 1 

O-l 

a2 

®n+ 2 

®n+ 1 

A  = 


®n+ 1 


a2  a3 

O'l  d2 


y  ®2n— 1  .  ®n+ 2  ®n+ 1  J 

Toeplitz  matrices  have  various  engineering  applications  and  have  been  widely  studied.  A 
circulant  matrix  is  a  special  type  of  Toeplitz  matrix  where  a2  =  a2n-i,  a3  =  a2n-2, ...  ,  and 
=  «n+ 1  •  We  apply  the  principles  found  in  the  structure  of  a  circulant  matrix  extensively 
in  our  new  findings.  To  be  precise,  we  use  the  following  definition  for  a  circulant  matrix. 


Definition  3.4.1.  An  n  x  n  matrix  C  is  circulant,  denoted  by  C(ci ,  c2, ....  cn),  if  all  its 
rows  are  successive  circular  permutations  of  the  first  row,  that  is, 
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C2  c3 
Cn  C\  C2 
y  c2  .  cn_i  cn  ci  j 

where  q  G  F  for  F  is  a  field,  and  i  e  {1,2,...,  n}. 

We  denote  the  set  of  all  circulant  matrices  as  C  and  the  set  of  all  n  x  n  circulant 
matrices  as  Cn. 

We  define  the  generating  polynomial  F  of  a  circulant  matrix  C(c\ , . . . ,  cn)  by 

F(x)  =  Ci  +  c2z  +  •  •  ■  +  cnzn  1. 

It  is  clear  that  the  circulant  matrices  are  closed  under  matrix  addition.  That  is,  for 
any  two  circulant  matrices  A  and  B,  A+B  is  circulant  as  well.  Additionally,  A+B  =  B+A 
and  the  associative  property  holds.  Therefore,  Cn  forms  an  abelian  group.  We  proceed  to 
prove  another  interesting  fact  about  circulant  matrices.  We  also  observe  that  the  transpose 
of  a  circulant  matrix  C  —  C(ci,  c2, . . . ,  cn),  denoted  by  CT,  is  C(ci,  cn,  cn_  1, . . . ,  c2) 

Proposition  3.4.2.  [56]  An  n  x  n  matrix  C  =  {ci? }  is  circulant  if  and  only  if  ct)  =  cuv 
whenever  j  —  i  =  u  —  v  (mod  n). 

There  exists  a  way  to  express  a  circulant  matrix  as  a  linear  combination  of  a  basis 
of  matrices.  Let  G  be  the  n  x  n  binary  circulant  matrix  G  —  (7(0, 1,  0, ... ,  0),  which  is 


/ 


C  = 


Cl  C2  C3 

Cn  Ci  C2 

Cn—  1  Cn 
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1 0  1  0  •••00^ 

0  0  1  •••0  0 


0  0  0  1 
y  1  0  0  •••  0  0  ) 

The  following  lemma  shows  that  the  power  of  G,  G:) ,  where  1  <  j  <  n,  form  a 
basis  for  the  commutative  algebra  Cn. 


Lemma  3.4.3.  [58,  p.  68]  Let  A  e  Cn  and  A  =  C(ai,  a2, . . . ,  an).  Then 

n 

A  =  s^alGi~1  = 

i=  1  ieA(A) 

where  A(A)  =  {i|  a*  =  1}  C  {1, 2, . . . ,  n). 

It  is  well-known  that  the  circulant  matrices  in  C  commute  in  multiplication  [58,  p. 
68].  Since  some  matrix  properties  in  C  may  not  hold  in  F2,  we  verify  the  commutativity. 

Lemma  3.4.4.  [56]  Let  A  —  C(ai,  a2, . . . ,  an )  and  B  =  C{b\,  b2,  ■  ■  ■ ,  bn)  be  two  elements 
ofCn  with  ai}  bi  G  F 2for  1  <  i,  j  <  n .  Then, 
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AB 


BA 
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AB  = 


(  E"  i,j= i  aibj  En  ■,/  '  aibj 

i-\-j= 2  (mod  n)  z+j=3  (mod  n) 

y!  i,j=i  &ibj 

i+j= 1  (mod  n) 

yi  ctibj 

i-\-j=n  (mod  n) 


E  ij=l  aibj  E  ,  aibj 


Er 


i,j  =  1  Li^Uj 


b,  \ 


i+j= 1  (mod  n) 


V  2+ji=3  (mod  n) 

/ 


i+j=4  (mod  n) 


=  c 


yy  *,j=i  &ibj  j 

i-\-j=2  (mod  n)  / 

\ 


^  ^  &ibj j  ^  ^  Q'ibji  •  •  •  j  ^  ^  Q'ibj',  ^  ^  ctibj 


i,j= 1 


i,j  =  l 


i,j=l 


I  —  -74/  —  -74/  —  I 

\  i+j=2  (mod  n)  i+j=3  (mod  n)  i+j=n  (mod  n)  2+jr=l  (mod  n)  / 


Since  ai:  bj  e  F2, 


/ 


=  C 


^  ]  biaji  'y  ]  bjCij, . . . ,  ^  ] 


i€A(A),jeA(B) 

\  i+J=2  (mod  n) 


iGA(A),jGA(B) 
2+jf=3  (mod  n) 


bidj 


iSA(A),j'6A(B)  . 

i+j=l  (mod  n)  / 


=  5A 


Therefore,  the  claim  holds.  □ 

Clearly,  Cn  has  the  associative  property  with  respect  to  matrix  multiplication.  There¬ 
fore,  Cn  forms  a  commutative  monoid.  Since  Cn  is  an  abelian  group,  Cn  forms  a  commu¬ 
tative  algebra.  We  recall  A  e  Cn  implies  that  A1  e  Cn.  Then,  we  have  AT  A  =  A  A1  by 
Theorem  3.4.4.  Therefore,  Cn  is  normal. 
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Corollary  3.4.5.  [56]  Let  A  =  C(a i,a2,  ■  ■  ■  ,  an)  be  a  circulant  matrix  over  F2.  Then 


A2 


C 


( 

n  n  n  n 

^B  a*ai’  ^B  a*ai’  •  •  • )  aiaji  ^B  a 

i,j= 1  i,  j=l  i,j=l  i= 1 

\i-\-j=2  (mod  n)  i+j=3  (mod  n)  i+j=n  (mod  n)  i+j= 1  (mod  n) 


C(ai,  a\n/ 2-|+i,  a2,  a\n/2~\+2,  •  •  • ,  a\?i/2])  ifn  is  odd. 


=  < 


V 


C(a i  +  an/2+i,  0,  a2  +  an/2+i,  0, . . . ,  0) 


if  n  is  even. 


Proof.  Let 


A  C (&l,  Oj2i  •  ■  ■  5  ^n) 


^  ai  a-2  a3  .  an  ^ 


&2 

^n— 1  ^ n  *  *  * 

:  *  •  *  •  *  •  a2  a3 

•  •  ^1  &2 
^  ^2  .  dri— 1  ^1  y 


By  Lemma  3.4.4,  we  have 


/ 


A2  =  c 


© 


j=l 


© 


*,  j=l 


© 


y2+j=2  (mod  n)  i+jf=3  (mod  n) 


i,  i=i 

i+j=n  (mod  n) 


© 


*,  i=i 

i+ji=l  (mod  n) 


If  n  =  2/c  +  1  for  k  —  0, 1,  2, 
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alaj 


i= 1 

i-\-j=2  (mod  n) 


Q’lQi  ©  a,2&2k+l  ©  •  •  •  ©  Clk+ldk+2  ©  O'k+20'k+l  ©  '  '  '  ©  ®2fc+l®2 


—  a\  ©  2a,2k+i(i2  ©  •  •  •  ©  2akOk+3  ©  2ak+i(ik+2  —  oi 


didj 


i= 1 

i+j= 3  (mod  n) 


Oj\Oj2  ©  ©  a3a2fc+l  ffi  '  '  '  ffi  Ofc-|-2  ffi  '  '  '  ffi  d2k+ld3 


—  afc+2  ©  2a\CL2  ffi  •  •  •  ©  2a3a2fc+i  —  ok+2 


Oidj 


i= 1 

i+j= 4  (mod  n) 


a\a3  ffi  Ct2a2  ©  a3al  ©  °'4a2fc+l  ffi  •  •  •  ffi  fl2fc+la'4 


—  Q-2  ffi  2a,3CLi  ffi  •  •  •  ffi  2<22fc+l®4  —  ®2 


aia. 


i=  1 

i+ji=l  (mod  n) 


&1&2&+1  ©  Qj2®'2k  ©  *  *  *  ©  &/J+1  ©  *  *  *  ©  &2fc&2  ©  &2&+1&1 


ffi  2oia2fc+i  ffi  •  •  •  ffi  2a2fcQ'2  —  Ofc+i- 


Therefore, 


A2 


C  (ai,  dk+2,  0-2 ,  Ok- 1-3,  o3, . . . ,  ak,  ct2fc+i,  ak+i) 


—  C{a  1,  Q'["n/2"|  +1 ;  O2 ,  a[n/2]+2,  •  •  •  ©n^l)- 
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If  n  =  2k  for  k  —  0,1, 2, 


© 


CLiCLj 


i=  1 

i-\-j= 2  (mod  n) 


OlOl  ©  02^2 k  ©  •  •  •  ®  dkak+ 2  ©  ®fc+l®fc+l  ©  Ofc+2®fc  ©  '  '  '  ffi  Ct2fc02 


—  a4  ©  Ofc_|_i  ©  2a2a2fc  ffi  •  •  •  ffi  2a4ca/c_|_2  —  Oi  ©  ®fc+i 


0 


CLiCLj 


i=  1 

i+j=3  (mod  n) 


0l02  ©  02(ii  ©  Cl3(l2k  ©  a'4a2fc— 1  ©  '  '  '  ffi  02fc-l®4  ©  ®2fc®3 


—  2axa2  ffi  •  •  •  ffi  2a2^a3  —  0 


0 


a*  ay 


i=  1 

i+j=4  (mod  n) 


O1O3  0  a2a2  ffi  03(^1  ffi  d4&2k  ffi  •  •  •  ffi  afc_|_2  ffi  •  •  •  ffi  (l2ka4 


—  O2  ffi  afc+2  ©  2a3ai  ffi  •  •  •  ffi  2a2fca4  —  a2  ffi  afc_|_2 


a*ai 


i=  1 

i+j=l  (mod  n) 


d\&2k  ©  a2a2k  ffi  '  '  '  ffi  a2fc02  ©  a2kal 


2a\a2k  ffi  •  •  •  ffi  2a2fca2  —  0. 


Therefore, 
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C  (di  +  O'fc+l,  0,  a2  ©  Ofc+2;  0,  03  ©  Ofc_|_3,  .  .  .  ,  0fc02fc,  0) 


A2  = 


—  C(a i  ©  an/2+i?  0,  02  ©  on/2+i,  0, . . . ,  0) 


□ 

An  n  x  n  permutation  matrix  Pa  is  an  n  x  n  matrix  obtained  by  applying  a  permu¬ 
tation  a  €  Sn,  where  Sn  is  the  symmetric  group  of  the  order  n  to  the  rows  (or  columns)  of 
the  identity  matrix  In. 

Definition  3.4.6.  We  define  a  relation  denoted  by  ~  on  Cn  as  follows.  LetAi  =  C(a\, . . . ,  an), 
A2  =  C(bl7 . .  Then, 

Ai  ~  A2  if  and  only  if  (oi, . . . ,  an)  =  pk(bu  . . . ,  bn). 

Due  to  reflexivity,  symmetry,  and  transitivity  of  the  relation,  the  relation  ~  is  an  equiv¬ 
alence  relation,  which  partitions  C  into  equivalence  classes.  We  denote  the  set  of  the 
equivalent  classes  as  C/~.  We  further  denote  the  equivalence  class  of  C(a\,  a2, . . . ,  an ) 

by  C(a i,  a2, . . . ,  an)  or  (C(a i,  a2, . . . ,  an)). 

Lemma  3.4.7.  [56]  Let  Mi,  M2  e  Cn,  and  let  Mf1  and  ATf1  exist.  Then,  Mi  and  M2 
belong  to  the  same  equivalence  class  if  and  only  if  Mf1  and  Mf1  also  belong  to  the  same 
equivalence  class. 

Proof.  We  just  prove  the  necessity;  the  sufficiency  proof  is  similar.  Let  Mx  =C(a\ ,  a2, . . . ,  an), 
M2  =  C(bi,  b2,...,  bn)  and  Mf1  =  C(a  1;  a2, ...,  an)  and  Mf1  =  C(/3i,  f32  ■  ■  ■ ,  f % )•  It  is 
sufficient  to  show  that  Mf1  e  C  (al5  a2, . . . ,  an).  We  know  that 


(bi,  b2, ... .  bn)  =  pk(a1,a2, ...,  an) 


48 


for  some  k.  Thus, 


Ad 2  —  r>kM\ 

for  some  permutation  matrix  Pk  =  C {pk ( 1 . 0, . . . ,  0)).  Therefore,  by  taking  the  inverse  of 
the  previous  equation  and  Lemma  3.4.4, 


Mf1  =  MflPk 


=  PkM i1. 


Therefore,  Ad1  1  and  Ad2  1  belong  to  the  same  equivalence  class.  □ 

To  conclude  this  section,  we  show  that  the  equivalence  classes  of  Definition  3.4.6 
form  a  commutative  monoid  which  contains  a  abelian  group. 


Theorem  3.4.8.  [56]  The  set  (C/Z  ,  •)  with  the  operation  ( A )  -(B)  :=  ( AB )  is  a  commuta¬ 
tive  monoid.  Moreover,  the  previous  operation  partitions  the  invertible  circulant  matrices 
C  into  equivalent  classes,  say  C*/~>  and  consequently,  (C*/~  ,  •)  becomes  a  group. 


Proof.  First,  we  show  that  the  operation  is  well  defined.  Let  A  =  C(ai, ... ,  an )  ~  A'  = 
C(a[, . . . ,  a!n ),  B  =  C(bi, . . . ,  bn)  ~  B'  =  C(b[, . . . ,  b'n ).  We  need  to  show  that  AB  ~ 
A' B' .  By  Lemma  3.4.4, 


/ 


AB  =  C 


\ 


^  ^  dibj,  ^  ^  •  •  •  ?  ^  ^  G>ibj 


i,j  =  1 


i,j= 1 


i,j= 1 


(mod  n)  i-\-j=3  (mod  n)  i+j=l  (mod  n)  J 


( 


A'B'  =  C 


n 


n 


Z.  Wa 

i,j= 1 

\i-\-j= 2  (mod  n)  i+j=3  (mod  n) 


"O’ 

i,j  =  l  i,j  =  1 


a'6' 


n 


\ 


i+J=l  (mod  n)  / 
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Let  k  and  s  be  such  that 


and 


P  (®1)  Q"ii)  —  (®1 +k  (mod  n)i  ■  ■  ■  i  O^n+k  (mod  n)) 


(®1J  •  •  •  ) ®n) 


ps(bu...,bn)  =  (b1+s 

(mod  n)i  •  •  •  i  bn+s  (mod  n) ) 


=  K-.-X)- 


Then,  we  have 


A'B'  =  C 


=  C 


^  ^  O'i+k  (mod  n)bj-\-s  (mod  «))•••)  ^  ^  O'i+k  (mod  n)bj-\-s  (mod  n) 

\ 


i,j  =  l  i,j  =  l 

yi+j=2  (mod  n)  i+j= 1  (mod  n) 


^  1  (libj-  y  ^  aibj ,  •  •  •  ,  ^  ] 


.  i,i=i  *»j=i 

\i+.?+fc+s=2  (mod  n)  i+ji+Zc+s^S  (mod  n) 


*»i=1  . 

i+jj+/c+s=l  (mod  n)  / 


=  c 


/ 


p 


k+s 


a^j 

w 


^  ^  Q'ibji  ^  ^  Q*ibj)  •  •  •  5  ^  ^  &ibj 


i,j= 1 


i,J=l 


*,j=l 


yi+ji=2  (mod  n)  2+ji=3  (mod  n)  2+j=l  (mod  n)  y  y 


Therefore,  we  have 


AB  ~  A'B'. 
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It  is  immediate  that  the  defined  operation  is  associative,  and  the  identity  element  is 
(7(1,  0, ,  0 )  =  (/„),  the  class  of  the  identity  matrix.  The  commutative  property  follows 
from  Lemma  3.4.4.  By  Lemma  3.4.7,  we  can  let  (M)-1  be  the  equivalence  class  of  all 
inverses  of  circulant  matrices  from  (M) .  We  have 


(M)  ■  (M)-1  =  (M)  •  ( M -1) 


=  (In), 


and  the  lemma  is  proved.  □ 

3.5.  S-EQUIVALENCE  OF  MRS  BOOLEAN  FUNCTIONS 

Definition  3.5.1.  Let  f,g£  Bn be  MRS  functions.  /  and  g  are  S-equivalent,  denoted  by 
/  ~  g  if  there  exists  a  permutation  matrix  P  such  that 


3(x)  =  /(xP). 

Example  3.5.2.  [56]  Let  n  =  7,  and  the  quartic  MRS  functions 


/(x)  =  X1X2X3XA  ©  X2X 3X4X5  ©  x3x^x5xe  ©  X4X5XGX7 


®X5XqX7X  1  ©  XqX7XiX2  ©  X7XiX2X3 , 


.g(x)  =  X1X2X4X6  ©  X2X3X5X7  ©  XsX^XqXi  ©  XiX5X7X2 


03X5X6X4X3  ©  X6X7X2X4:  ©  X7XiX3X5 
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Using  the  permutation  tt  =  (2, 3,  5)  (4,  7, 6)  expressed  in  product  of  disjoint  cycles,  we 
check  that  f  o  n  —  g. 


We  associate  /  to  the  following  circulant  matrix  equivalence  class 

1  02  03  H 

Af  =  C(l,0,...,  1,0,. ..,0,  ±,...,0,  1 ,  •  •  • ,  0> 


1  02  03  Od 

=  {C(  1,0, ,  1,0,.  ..,0,  1 ,  -  -  - , o,  1 . 0)), 


(3.1) 


where  the  l’s  appear  in  positions  prompted  by  the  indices  of  any  monomial  of  ANF  of  /. 
We  can  illustrate  A  (/)  =  A  (any  representative  of  Af ).  In  general,  for  Af  as  in  Equation 
(3.1),  then  A (/)  =  [1,  j2, . . . ,  jd]  =  [2,  j2  +  1,  •  •  ■  ,jd  +  1]  =  ■  ■  ■  •  Also,  the  length  of  A(A) 
is  denoted  by  wt(A(A)),  which  is  the  weight  of  any  row  of  Af. 

Example  3.5.3.  [56]  If  n  —  5  and  /(x)  =  X1X2X4  ©  x2x3x5  ©  x^x^xi  ©  x^x5x2  ©  x5x\x3, 

then 


*f  = 


^110  10^ 

0  110  1 
10  110  > 
0  10  11 
v  1  0  1  0  1  ) 


A  (/)  =  [1,2,4]  =  [2,3,5]  =  [1,3,4]  =  [2,4,5]  =  [1,3,5], 


Lemma  3.5.4.  [56]  Let  f  be  an  MRS  Boolean  function,  and  F%,  i  =  1,2,  be  the  gener¬ 
ating  polynomials  for  the  circulant  matrices  M{  =  0(a.\,  a2, . . . ,  af),  respectively,  M2  = 
C(b\, . . .  ,bn)  in  Af,  where  (b\r . . . ,  bn)  =  pk(a\, ,  af),  for  some  k.  Then,  gcd(Fi(A),  zn— 
1)  =  gcd(F2(^),  zn  -  1). 


52 


Proof.  Since  (&i,  b2, . . . ,  bn)  =  pk(ai,  a2, . . . ,  an),  for  some  k,  we  use  an  inductive  argu¬ 
ment  to  prove  the  lemma.  Let  k  —  1.  Then,  (bi,  b2,  ■ . . ,  6n)  =  (an,  a0,  ■  ■ . ,  an_2).  Now,  we 
need  to  show  that 


for 


gcd(Fx  (*),*"  -  1)  =  gcd(F2(z),  -  1) 


Ei(,z)  —  ai  +  a2z  +  •  •  •  +  onzn 


and 


F2{z)  —  an  +  Gqz  +  •  •  •  +  Qjn—\Zn  1 


Certainly, 


^F1(^-F2(^)  =  an(^-1). 

Since  multiplying  2  by  Ffz)  does  not  change  gcd(-Fi(z),  zn  —  1), 
gcd^!^),^  -1)  =  gcd (zF1(z),zn-l). 

By  Equation  3.2 


(3.2) 


gcd(Fi(z),  zn  -  1)  =  gcd(an(zn  -  1)  +  F2{z),  zn  -  1). 

By  the  Euclidean  algorithm. 


gcd(Fi  (z) ,  zn  -  1)  =  gcd(F2  (z) ,  zn  -  1) . 
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For  the  inductive  step,  assume  it  is  true  for  k  =  s.  Then,  we  try  to  show  for  k  —  s 

(bi,  b2, . . . bn)  =  ( an-s ,  an-s+ 1,  •  •  • ,  an_s_ i).  We  need  to  show  that 

gcd (F1(z),zn  -  1)  =  gcd (Fa+1(z),zn  -  1) 

for 


F\(z)  —  CL\  +  CI2Z  +  '  '  '  +  CbnZ11 


and 


Fs+ 1(-2')  s  T  s+1^  T  "  "  '  T  Ojn—s— 1% 


n—  1 


Let 


F s('2')  ^n— s+1  “1“  ^n— s+2^  “I-  *  *  *  “I-  Clri-s^ 


n—  1 


Then, 


zFsO)  -  Fs+i(z)  =  an_s(zn  -  1). 

Since  multiplying  2  by  Fs(z )  does  not  change  gcd(Fs(^),  zn  —  1), 

gcd(Fs(^),  zn  -  1)  =  gcd (zFs(z),zn  -  1). 

By  Equation  3.3 

gcd (Fs(z),  zn  -  1)  =  gcd(an_s(^n  -  1)  +  Fa+1{z),  zn  -  1). 

By  the  Euclidean  algorithm. 


+ 1.  Let, 


(3.3) 
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gcd{F9{z),zn-l)  =  gcd(Fs+1(z),zn-l). 


By  the  induction  hypothesis,  we  conclude  that 

gcd (F1{z),zn  -  1)  =  gcd (Fa+1(z),zn  -  1), 

which  proves  the  lemma.  □ 

We  introduce  the  concept  of  a  generalized  inverse. 

Definition  3.5.5.  For  a  square  matrix  A,  we  call  a  matrix  A*  of  the  same  dimension  a 
generalized  inverse  if 


A  A*  A  =  A. 

We  call  a  matrix  Ad  a  reflexive  generalized  matrix  if 

AAfA  =  A 

and 


AfAAf  =  Af. 

In  addition,  if  both  AA t  and  Ad  A  are  symmetric,  then  Ad  is  called  a  (Moore-Penrose) 
pseudoinverse  of  A.  [59]. 

It  is  known  that  matrices  over  finite  fields  have  at  least  one  generalized  inverse  [60] . 
Also,  if  a  pseudoinverse  exists,  it  is  unique  [60].  However,  it  is  not  known  if  any  of  these 
generalized  inverses  of  circulant  matrices  are  circulant.  Our  next  result  deals  with  that 
problem,  and,  in  the  process,  the  first  part  generalizes  the  second,  which  was  shown  in  [61, 
Theorem  2.2]. 
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Theorem  3.5.6.  [56]  Let  A  =  C  (ai , . . . ,  an)  be  a  circulant  matrix  over  F  2  of  the  generating 
polynomial  F  —  a\  +  a2z  +  •  •  •  +  an-izn  G  F2[z].  Let  gcd(F(^),  zn  —  1)  =  D(z), 
zn  —  1  =  H(z)  ■  D(z),  and  assume  that  gcd(D(z),  H(z))  =  1.  77ien,  the  following 
statements  hold: 

( i )  The  polynomial  F  is  invertible  modulo  H.  That  is,  there  exists  F*(z)  =  Y^j= i  a:jZy  1 
with  F(z)  ■  F*(z)  =  1  (mod  H(z)).  Moreover,  the  circulant  matrix  A  has  a  circulant  gen¬ 
eralized  inverse,  precisely,  A  ■  A*  ■  A  =  A,  where  A*  =  C(o], . . . ,  an).  Additionally,  if 
gcd (F,  zn  —  1)  =  gcd(F*,  —  1),  //icj/7  A*  is  in  fact  the  reflexive  generalized  inverse  /Id 

(ii)  [61,  Theorem  2.2]  //'gcd(  F.  zn  —  1)  =  1,  then  the  matrix  A  is  invertible  and  its 
inverse  is  A~l  =  C{a i, . . . ,  an),  where  (ai,  a2, . . . ,  an)  is  the  unique  solution  of 

(«i ,a2, . .  •  A  =  (1,0, ...  ,0). 

Moreover,  ifF*(z )  =  ai  +  a2z  +  •  •  •  +  an^n_1,  F(z)  •  F*(z)  =  1  mod  ( zn  —  1). 

Proof.  The  claim  (ii)  follows  from  (i).  To  show  (i),  let  n  =  2 tm  with  m  odd,  and  t 
an  arbitrary  integer.  By  [62,  p.63  Theorem  2.42  (ii)],  every  irreducible  factor  of  z"  —  1 
over  F2  appears  at  the  power  2*.  Let  $(z)  be  an  arbitrary  irreducible  factor  of  H(z)  = 

(. zn  —  1  )/D(z).  Since  gcd (D(z),H(z))  =  1,  gcd(F(^),  <f>(^))  =  1.  Therefore,  the  class 
of  F(z)  is  invertible  in  the  ring  F2[^]/(<f>2t).  This  implies  that  there  exists  F,\, (z)*  with 
F(z)  ■  F$(z)*  =  1  (mod  <3>2t).  Using  the  fact  that  H(z)  =  n  (l>2'  and  applying 

$  distinct 

the  Chinese  remainder  theorem,  we  obtain  that  there  exists  F*  with  F(z)  ■  F*(z)  =  1 
(mod  H{z)).  Moreover,  F*(z)  is  unique  modulo  H{z). 

To  show  the  second  claim  of  (i),  we  assume  that  F  ■  F*  =  1  (mod  H),  where 
F*(z)  =  YTj=i  ctjzi-1,  and  we  will  show  that  AA*A  =  A,  where  A*  =  C(ai, . . . ,  an). 

Let  R  be  the  quotient  ring  F 2[z\ / (Ft (z)) .  Since  D  divides  F  and  H  divides  FF*  —  1, 
then  z11  —  1  =  HD  divides  F(FF*  —  1)  and  so,  we  have  the  identity  F2F*  =  F  in 
F2[^]/(^n  —  l).  Multiplying  out  the  polynomials  F2  and  F*  and  reducing  modulo  zn  —  1, 
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we  obtain 


y,  aittfc  +  j  y  aittfc  |  2; 

2i+/c=3  (mod  n)  \2i+/c=4  (mod  n) 


E 

,  2i+/c=2  (mod  n) 


atak  1/  ‘  = 


1 = y  x> 


?=i 


from  which  we  infer  that 


ci  E 

,2i-\-k=3  (mod  n)  2i+/c=4  (mod  n) 


E 

2i-\-k=2  (mod  n) 


Q'i&k  ^2?  •  •  •  5  ^n)  • 


That  is  A4*  A  =  A. 

Using  gcd (F(z),zn  —  1)  =  gcd(F*(A),  zn  —  1),  by  a  similar  argument  as  before, 
we  get  that  A  is  also  a  generalized  inverse  for  A *,  that  is,  A*  A  A*  =  A*,  which  shows  the 
last  claim  of  (i).  □ 


As  for  the  pseudoinverse,  we  observe  that  the  transpose  of  a  circulant  matrix  A  = 

C{au  02, ,  an)  is  At  =  C(ai,  an, . , . ,  02).  Let  i'  =  (n  +  2  —  i)  mod  n,  and  k'  = 
(n  +  2  —  /c)  mod  n.  Then,  we  have 


AA* 


c|  E  ®Ji®'k')  ^  ^  ^i^k) 

<i-\-k=2  (mod  n)  2+fc=3  (mod  n) 


,  y  atak 

i+k=  1  (mod  n) 
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and 


(AA*Y  =  C  (  ai'Oik'y  CLiiak',...,  di'Oik' 

^i+k= 2  (mod  n)  i+k= 3  (mod  n)  i+k=  1  (mod  n) 

=  (7  |  ^  ai'Oik'-,  ^  •  i  ^  )  , 

.i/+/c/=2  (mod  n)  ^'+^'=1  (mod  n)  -|- A:' =3  (mod  n) 


which  does  not  necessarily  imply  that  AA*  =  (riri*)6 


Remark  3.5.7.  [56]  It  may  be  tempting  to  conjecture  that  every  circulant  matrix  has  a 
generalized  inverse  that  is  circulant.  However,  during  a  computer  exercise,  we  noticed  that 
the  circulant  matrix  67(1,  0,  0, 1,  0,  0)  does  not  have  a  circulant  generalized  inverse.  We 
observe  that  67(1,  0,  0, 1,  0,  0)  corresponds  to  F(z)  =  1  +  z3  with  n  =  6.  Since  z6  —  1  = 

F(zy, 


So,  we  have 


H{z)  =  D(z)  =  F(z). 


gcd(D,H)  y  1. 

Therefore,  Theorem  3.5.6  does  not  apply,  and  F  has  no  inverse  modulo  F. 

We  mention  another  way  to  detect  singularity  or  nonsingularity  of  the  associated 
circulant  matrix  to  an  MRS.  In  [46],  Stanica  et  al.  found  a  characterization  of  Boolean 
functions  whose  associated  circulant  matrices  are  singular. 

Proposition  3.5.8.  [46]  Let  f  be  a  degree  d  MRS  with  associated  Af  =  67(ai, . . . ,  an) 
(assume  that  a±  =  1).  Let  A  (Af)  =  [1,  s2,  •  •  • ,  s<i].  Then,  Af  is  singular  if  and  only  if  there 
is  an  n-th  root  of  unity  /i  such  that  1  +  /A2  +  •  •  •  +  /iSd  =  0  (over  Z2). 

Corollary  3.5.9.  [46]  With  the  notation  of  the  previous  proposition,  we  have 
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(i)  Ifwt(A(Af ))  is  even,  then  Af  is  singular. 

( ii )  Let  p  be  the  least  odd  prime  occurring  in  the  factorization  of  n.  Assume  that 
A  (Af)  =  [1,  S2,  ■  ■  ■ ,  Sd]  has  odd  weight  d  and  Sd  <  p  —  2.  Then  Af  is  nonsingular. 

We  define  the  dual  function  with  respect  to  a  degree  d  MRS  function  /  with  invert¬ 
ible  Af.  We  consider  the  ordered  set  A(Aj1)  =  \ji,  j2, . . .  ,jt\  and  define  the  MRS  dual 
function  f*  by 

f*  —  xhxj2  ■  ■  ■  xjt(SANF). 

Our  next  result  gives  an  extension  for  the  necessity  part  of  Theorem  3.2.4. 

Theorem  3.5.10.  [56]  Let  f  and  g  be  two  MRS  Boolean  functions  in  n-variables.  If  A  f 
and  Ag  are  invertible  and  f  A  g  (f  and  g  are  affine  equivalent  by  a  permutation  in  Sn), 
then  wt(A(f))  =  wt(A(g))  and  wt(A(f*))  =  wt(A(g*)). 

Proof.  Since  f  ~  g,  then  there  exists  a  permutation  r  G  Sn  with  AfOT  =  Ag.  Clearly, 
/  and  g  have  the  same  degrees.  Therefore,  wt(A(f))  =  wt(A(g)).  Let  the  SANF  of  / 
be  xi Xj2  ■  ■  ■  Xjdwith  /  =  {1  ,j2,  ■  ■  ■  ,jd}-  We  set  Af  =  (C(oi, . . . ,  an))  such  that  a*  =  1 
if  i  G  /,  and  0  otherwise.  Using  the  same  steps,  we  also  let  A J1  =  (C( a1} . . .  ,an)), 
Ag  =  {C(brt ...,  bn))  ,  and  A"1  =  (C(ft  i, . . . ,  /?„)).  Then  we  have 

(C  (fl ,  •  •  •  ,  bn)  )  (fA  (U7r(l)  i  ®7r(2)  i  •  •  •  i  Q"ir{n) )  )  i 

since  Ag  =  AfOT,  where  n  =  r_1.  We  introduce  the  notations  rfA)  and  cfA)  for  the  i-th 
row  and  the  j-th  column  of  a  matrix  A,  respectively.  Since  the  permutation  r  preserves 
the  rotation  symmetry,  there  exists  a  permutation  matrix  such  that  every  row  of  PAg  (not 
a  circulant  matrix  any  longer)  is  the  permutation  of  the  same  indexed  row  of  Af.  Then  we 
have 


rfPAg)  =  ir(ri(Af)). 
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By  the  hypothesis,  there  exists  the  inverse  matrix 

U  =  Aj1  =  (C(ai, . .  .,an)) . 

Therefore,  we  have 

ri{Af)U  =  r  i(In) 


ri(U)Af  =  ri(In). 

Then,  we  can  set 

i(Af')  CLi} 2,  •  •  •  5  ®j,n) 


\P1n—i+2i  ■  ■  ■  i  ®n— i+l)j 

which  is  the  i-th  shift  of  the  first  row  of  Aj .  Let  dl  :)  be  the  Kronecker  delta  function,  that 
is,  Sij  —  1  if  i  —  j,  and  ShJ  =  0  otherwise.  Since  it  is  a  permutation,  we  can  interpret  the 
equation  AfU  =  In  in  the  following  way: 

®i,7r(l)^7r(l) ,j  T  ‘  ‘  T  Oj,7r(n)^7r(n) ,j  1  —  L  j —  (3.4) 
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Then,  we  have 


Uw  =  PnU 

where  Pn  is  the  permutation  matrix  for  n.  Therefore,  Equation  (3.4)  is  simply  r^P Ag)cj{U^))  = 
Sij.  Therefore, 

PAgU(n)  =  In 

and 

U^PAg  =  In. 

Therefore, 

n  (u^p)  Ag  =  niQ. 

Due  to  the  uniqueness  of  Theorem  3.5.6, 

n  (u[«]p)  =  A,). 

Recall  that  multiplication  by  a  permutation  matrix  to  the  right  has  the  effect  of  rearranging 
the  columns,  and  to  the  left  has  the  effect  of  re-arranging  the  rows.  Since  U~l  is  also 
circulant,  hence  every  row  has  the  same  weight,  we  obtain 

wt(P  1,  •  •  •  ,Pn)  =  wt  =  wt  (ri(C/(“J)) 

=  wt  (niP-'U-1))  =  wtir^U-1)) 

j  £^n)* 
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□ 

Example  3.5.11.  [56]  Take  n  =  5,  and  /  ~  g  whose  SANFs  are  XiX2xA,  respectively, 
xAx2x3  (and  so,  wt(A(f))  =  wt(A(g))).  Certainly, 

Af  =  C(  1,1, 0,1,0),  Ag  —  67(1, 1, 1, 0, 0) 

A~l  =  C{  0, 1, 1, 1, 0),  A~l  =  67  (  0, 1, 1, 0, 1), 

and  so,  wt(A(f*))  =  wt(A(g*))  (in  fact,  in  this  case  the  dual  of  /  is  f*  =  g ).  As  an¬ 
other  example,  we  take  n  =  8,  /,  g  with  SANFs  X\X2xA,  respectively,  xAxAx5  (and  so, 
wt(A(f))  =  wt(A(g))).  We  compute 

Af  =  67(1, 1, 0, 1, 0, 0, 0, 0),  A,  =  67(1, 0, 0, 1, 1, 0, 0, 0) 

A-1  =  67(1, 0, 1, 0, 0, 1, 1, 1),  A;1  =  67(0, 0, 1, 0, 0, 1, 1, 0), 

and  so,  wt(A(f*))  =  5  ^  wt(A(g*))  =  3,  therefore  f  ft  g. 

Remark  3.5.12.  The  conditions  wt(A(f ))  =  wt(A(g)),  wt(A(f*))  =  wt(A(g*))  are  not 
sufficient  to  ensure  that  the  functions  /,  g  are  S'-equivalent.  As  an  example,  take  n  —  8 
and  f,g  with  A (/)  =  [1,  2,  3],  A(g)  =  [1,2,4].  The  two  functions  are  not  in  the  same 
S'-equivalence  class,  yet  wt(A(f ))  =  wt(A(g))  =  3  and  wt(A(f*))  =  wt(A(g*))  =  5,  as 
one  can  check  easily. 

For  a  degree  d  MRS,  whose  class  Af  is  not  invertible,  let  the  equivalence  class  of 
the  circulant  pseudoinverse  matrix  denoted  by  with  A  (Af)  =  \ji,  j2l  ■  ■ . ,  jt]-  Then  the 
pseudo-dual  Boolean  function  is 

/  =  Xj1Xj2  •  •  •  Xjt  ©  XjlA-iXj2+i  ■  •  ■  Xjt+ 1  ©  •  •  •  ©  Xj^iXjz—i  ■  ■  ■  Xjt  —  i- 
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We  propose  the  following  question,  which  seems  to  be  true,  based  on  computer  data. 

Open  Problem.  [56]  If  f  ~  g  with  singular  matrices  Af  and  Ag,  respectively 
with  circulant pseudoinverses,  is  it  true  that  wt(A(f))  =  wt(A(g))  implies  wt{ A(/t))  = 

wt{A(g f))? 

We  now  present  some  results  obtained  while  pursuing  the  open  problem. 

Theorem  3.5.13.  [56]  Let  f  and  g  be  two  n-variables  MRS  with  f  A  g,  and  Af  = 
C(ai, . . . ,  af),  Ag  =  C'(a7r(i), . . . ,  a, r(n))  for  some  permutation  n.  The  matrices  have 
pseudoinverses  C{ot\ . . . ,  af)  and  C(jj\ , . . . ,  j3n),  respectively.  Let  r  be  the  permutation 
r(l)  =  1,t(2)  =  \nj  2]  +l,r(3)  =  2,r(4)  =  \nj  2]  +2,....  The  following  statements 
are  true: 

( i )  Let  n  be  odd.  Then 


iyCL\  ,  • 

•  •  i  C^n) 

(^r(l)?  •  •  •  i  ^r(n))  ^(^1?  •  •  •  5  ^n) 

(ai,  • 

•  •  ?  ^n) 

(^r(l)?  •  •  •  ?  ^r(n))  ^  (^1?  •  •  •  ?  ^n) 

(i)’  *  *  * 

5  ^7r  (n)) 

(^'(7ror)(l)  j  •  •  •  ?  ^'(7ror)(n))  C (/?l ,  .  .  .  ,  f3n 

(Pu- 

•  •  ,  Ai) 

(/^t(1)?  •  •  •  ?  C  (^7r(l))  •  •  •  5  ^7r(n)) 
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(ii)  Let  n  be  even.  Then 


((2i,  . 

•  •  5  ^n) 

(pr(  1)  ©  ^r( 2)5  0)  ^t( 3)  ©  ^r(4)?  ^5  •  • 

•)  ^-'(^1?  *  *  *  ?  ^7l) 

(<*1,  • 

•  •  ?  ^n) 

(^r(l)  ©  ^r(2)?  65  ^r(3)  ©  ^t(4)}  0)  • 

. 67 (&i  5  •  •  •  ?  Oj n 

'(I)’-” 

5  ^7r(n)) 

^(2(7ror)(l)  ©  ^(7Tot)(2)?  6,  •  •  •) 

•  •  •  ,  Pn) 

(A,- 

••,£n)  = 

(/^r(l)  ©  /^r(2)j  0,  •  •  •  ,  )  C  (^7r(l)j  •  • 

•  ?  ^7r(n))  • 

Proof,  (i)  Let  n  be  odd.  For  the  first  part,  by  the  definition  of  pseudoinverse, 

(u-i  , . . . ,  (1,0,.. .,0)0  (u-i , . . . ,  On) 

(1)  0,  •  •  •  ,  •  •  •  5  tlrfjC  {ot\^  •  •  •  ?  OLjfjC {^CL i,  •  •  •  ,  ^n) 

(1 5  0,  .  .  .  ,  0)C7((2i  , . . . ,  un)  67 (on , . . .  ,  O^n) . 

Let  PT  be  the  permutation  matrix  for  r.  By  Corollary  3.4.5, 


C(ai,  .  .  .  ,  an )2  —  C(ai,  afn/2]+lj  a2>  a[n/2]+2?  •  •  •  ?  arn/2]) 

67((tti,  .  .  .  ,  CtfjP r) 

67 (ftr(i),  •  •  •  ,  ^r(n))* 
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Therefore, 


(cii,  .  .  .  ,  Ctfi)  On)  C  {OL 1,  .  .  .  ,  CTn) 

(1?  0?  •  •  •  5  0)f^(^r(l)?  •  •  •  5  ^r(n) (^1  ?  •  •  •  :  &n) 

(Or(l)j  •  •  •  j  ®r(n))C(o;l)  •  •  •  i  Q!n)  ■ 

The  second  part  is  immediate  since  C(ai, . . . ,  an )  is  a  pseudoinverse  of  C(ai, . . . , 
a„  ),  which  shows  that  it  is  also  reflexive  inverse. 

For  the  third  part,  let  P n  be  the  permutation  matrix  for  n.  Then,  using  Corollary 

3.4.5, 


(®7r(l))  •  •  ■  )  ®7T (n))  (1)  0)  *  ■  •  >  0)C  (o7f(l))  •  •  ■  )  ®7T(»l)) 

(1)  0)  ■  ■  •  )  0)C  (077(1) )  ■  •  ■  r(n))  C(/^  1)  •  •  •  j  fin) 

(®(ttot)(1)  i  •  •  •  ,  Q'(  7ror)(n 

The  fourth  part  is  immediate,  since  C(fii, ,  fin)  is  a  reflexive  inverse  of  C(a7r( i), 

.  .  .  ,  U^n)). 

(ii)  We  can  show  this  using  similar  techniques  used  in  (i)  with  Corollary  3.4.5.  □ 

For  an  MRS  function  /,  when  Af  does  not  have  a  pseudoinverse,  but  circulant 
generalized  inverses,  the  notion  of  dual  is  not  well  defined.  Often,  the  weights  of  the 
generalized  inverses  differ  and  the  generalized  inverses  are  not  unique.  However,  they 
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do  correspond  to  a  unique  generalized  inverse,  which  is  the  smallest  in  lexicographical 
order,  via  the  congruence  modulo  the  corresponding  H' s  in  Theorem  3.5.6.  This  unique¬ 
ness  is  not  readily  recognizable  in  matrix  form.  Let  us  define  the  dual  Boolean  function 
corresponding  to  that  unique  representative  of  all  generalized  inverses.  Using  this  notion, 
for  singular  Af  and  Ag  without  a  pseudoinverse,  but  with  circulant  generalized  inverses, 
the  condition  wt(A(f*))  =  wt(A(g*))  does  not  hold.  To  illustrate  this,  let  n  =  7.  We 
check  that  /  =  x3x2x3x5(SANF )  and  g  =  xiX2x3x6(SANF )  are  S-equivalent.  The 
functions  do  not  have  pseudoinverses,  but  circulant  general  inverses.  We  computed  all  gen¬ 
eralized  inverses  that  are  circulant,  and  they  are  in  the  classes  A*f  =  67(l,  0,  0,  0,  0,  0,  0) 
and  A*  =  67(1,1,0,0,0,0,0),  respectively.  Clearly,  we  have 

wt(A(D)  ±  wt{A{g*)). 

We  now  consider  the  case  of  a  converse  of  our  previous  theorem.  For  simplicity,  we 
assume  all  indices  are  mod  n.  Let  P  and  0  be  permutation  matrices.  Then,  it  is  known 
that  if  two  circulant  matrices  A  and  B  are  P-Q  equivalent,  that  is,  PA  =  BQ,  then  AAT 
and  BBT  are  similar  matrices  [63].  Moreover,  it  is  straightforward  to  see  that  AAT  = 
Si  jeA(A)  Gai~af  where  A  =  C(a3, ... ,  an ).  This  actually  points  to  the  importance  of 
the  differences  a,  —  a:),  which  played  a  role  in  Cusick’s  paper  [55],  which  only  addresses 
the  MRS  functions  with  wt(A(f))  =  3.  Given  a  permutation  5,  we  let  P$  be  the  row 
permutation  matrix  corresponding  to  the  permutation  5. 

Theorem  3.5.14.  [56]  Let  f  and  g  be  MRS  functions  with  Af  =  67(ai, . . . ,  an),  Ag  = 
67(f)!, ... ,  bn),  respectively.  Let  a  permutation  matrices  Pa  for  the  permutation  o  and  a 
permutation  matrix  QTfor  the  permutation  r  such  that  PaAf  =  AgQr.  Then,  ivt(A(f  )  )  = 
wt(A(g))  and  aa{j)+i_ i  =  fv(i)+j-i- 

If  A  f  and  Bg  are  invertible,  then  we  also  have 

ip  1,  •  •  •  j  ®n)  r(l)+n+l)  •  •  •  i  /3cr-1(n)— r(l)+n+l)  i 
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and 


wt(A(f*))  =  wt{A(g*)) 

where  (a1:...,an)  =  A~fl  and  (/?i, , . . .  3.,,)  -  A J1. 

Proof.  Let  Af  =  C(a1: . . . ,  an)  and  Ag  =  C{b\, . . . ,  bn).  We  write 


^cr(l) 

^cr(  1)  +71—  1 

= 

^cr(2) 

&o-(2)+l  ‘  *  ‘ 

^cr(2)+n— 1 

y^cr(n) 

^cr(n)+l 

^cr(n)+n— 1  / 

1 

^  fr-r(l) 

br(2) 

^r( 

.  ^r(l)+l  W( 2)+l  '  '  ‘  ^r(n)+ 1 

AgLjr 

y^r(l)+n— 1  ^r(2)+n— 1  '  '  '  ^r(n)+n— 1 J 

From  PCT  A/  =  we  derive 


We  note  that  the  first  rows  of  P^A/  and  AgQr  are  the  same.  Also,  the  sets  (cr(l),  cr(l)+ 
1, . . . ,  cr(l)  +  n  —  l}  and  (r(l),  r( 2), . . . ,  r(n)}  are  simply  permutations  of  (1,2,...,  n}. 
Therefore,  we  see  that 


Wt  5  •  •  *  )  ^cr(l)+n— l)  Wt((l i,  CI2,  •  •  •  j  +r)> 


Wt  (6r(  1),  6t(2),  •  •  •  ,  6r(n))  =  62,  •  •  •  ,  &n)» 
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and 


wt(A(f))  =  wt(A(g)). 

From  Theorem  3.5.6,  a,;  and  /3t  with  1  <  i  <  n  are  unique  with  the  property 

(1,0,...,  0)  =  (ai,...,  an)C'(ai,...,an)  (3.5) 

(1,0,...,  0)  =  (/3i,...,/3„)C'(6i,...,6n). 

We  multiply  the  second  relation  by  QT  from  the  right  and  obtain 

t(1) 

(o,  -  -  - ,  0,  1,0,...)  =  (/3i  ,...,pn)AgQr 

=  . . .  MP'Af  (3'6) 

(At_1(1)>  ■  ■  ■  i  /^<r_1(n))  ^/- 

We  multiply  the  last  equation  from  the  right  by  the  permutation  matrix  Rpn+ i-r(i) ,  corre¬ 
sponding  to  the  shift  to  rewrite  the  left  hand  side  of  (3.6)  in  the  standard  form 

(1,  0, . . . ,  0).  Since  Rpn+ i-t(i)  is  also  a  circulant  matrix,  by  Lemma  3.4.4,  it  will  commute 

with  Af  and  (3.6)  becomes 

(1,  0,  .  .  .  ,  0)  ( 1  ( 1)  ?  *  ■  *  J  Pa~n(  1)}  Rpn+l—r(l)Af 


=  (Ar- 


,Po 


!(n) 


-r(l)+l)  Af. 


Since  (on, . . . ,  an)  was  unique  with  the  property  (3.5), 


(cTl,  •  •  •  ,  (/-(t  1(1)— t(1)+1?  •  •  •  i  fic t  1(n)— r(l)+l) 
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where  the  indices  are  mod  n.  Since  the  indices  above  right  are  just  a  permutation  of 
{1,2,...,  n},  we  immediately  get  wt(A(f*))  =  wt(A(g*)). 

□ 


The  previous  theorem  easily  extends  to  the  following  corollary. 

Corollary  3.5.15.  [56]  Let  f  and  g  be  two  full-cycle  MRS  functions  with  the  invertible 
classes  Af  and  Ag,  respectively.  Let  Aj1  =  C(a i, . . . ,  otn)  and  Ag  1  =  C(f3 1, f3n).  If 
f  ~  g,  then  there  exists  a  permutation  matrix  P  such  that 

P  •  (an, . . .  ,an)T  =  (ft, . . .  ,ft)T. 
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4.  MRS  BOOLEAN  FUNCTIONS  AND  GRAPHS 


4.1.  INTRODUCTION 

The  difficulty  in  the  affine  equivalence  problem  may  be  mitigated  by  establishing 
relationships  to  other  disciplines  in  mathematics  for  possible  solutions.  Graph  theory  stud¬ 
ies  the  properties  of  a  graph,  which  is  a  structure  defined  by  a  set  of  vertices  (or  nodes) 
and  a  set  of  edges  which  connect  vertices  to  each  other.  Often,  a  graph  representation  of 
an  algebraic  structure  helps  us  to  visualize  the  complexity  of  the  structure.  One  simple 
example  is  visualization  of  a  Boolean  function  using  a  tree,  which  is  a  graph  in  which  each 
pair  of  vertices  is  connected  by  a  unique  path.  There  have  been  many  attempts  to  establish 
meaningful  relationships  between  graphs  and  Boolean  functions.  One  of  the  interesting 
connections  involves  bent  functions  and  Cayley  graphs.  In  [64],  Bernasconi  and  Conde- 
notti  showed  that  the  Walsh  transforms  of  some  Boolean  functions  can  be  analyzed  by  a 
Cayley  graph  representation  of  Boolean  functions.  They  later  extended  their  finding  to  the 
characterization  of  bent  functions,  using  strongly  regular  graphs  in  [65].  In  2007,  Stan- 
ica  [66]  presented  necessary  conditions  for  bent  functions  and  investigated  the  propagation 
criteria  of  Boolean  functions,  using  the  Cayley  graph  representation.  In  this  chapter,  we 
present  some  basic  graph-theory  material,  briefly  review  the  Cayley  graph  representation, 
and  present  a  new  graph  representation  of  MRS  functions  and  some  analysis  in  regard  to 
S-equivalence. 

4.2.  EXAMPLE  OF  GRAPH  REPRESENTATION  OF  BOOLEAN  FUNCTIONS 

4.2.1.  Definitions  and  Fundamentals  of  a  Graph 

A  graph  G  =  (V,  E)  is  defined  by  a  set  of  vertices ,  V  or  V  ( G )  and  a  set  of  edges, 
E  or  E{G)  =  {{x,y}  \  x,  y  G  V,  anda:  ^  y}.  If  {x,y}  G  E(G),  we  say  that  x  and 
y  are  adjacent.  The  number  of  edges  that  are  incident  with  the  vertex  v  is  the  degree  of 
v,  denoted  by  deg(v).  Two  vertices  are  connected  if  we  can  go  from  one  vertex  to  the 
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other  by  traveling  a  path  defined  by  the  edges  of  the  graph.  A  graph  is  connected  if  for 
every  pair  of  vertices,  there  exists  a  path  of  edges  connecting  them.  If  a  graph  is  not 
connected,  it  is  disconnected.  If  each  vertex  of  a  graph  G  has  the  same  degree,  we  call 
G  a  regular  graph.  A  regular  graph  G  is  strongly  regular  if  there  exist  two  integers  m 
and  n  such  that  every  two  adjacent  vertices  have  m  common  neighbors,  and  every  two 
nonadjacent  vertices  have  n  common  neighbors.  A  graph  G  is  bipartite  if  V ( G )  can  be 
partitioned  into  two  sets  Vi  and  V2  such  that  there  exists  no  edge  {v,w}  with  v,  w  G  Vj 
or  v,  w  G  V2.  A  graph  G  is  complete  if  E(G)  contains  all  possible  edges.  We  denote  the 
complete  graph  on  n  vertices  by  Kn.  Another  special  graph  we  use  in  this  chapter  is  a  cycle. 
In  this  thesis,  we  denote  a  cycle  as  [v\,  v2, ...  ,vn]  where  {iq,  v2,  .  .  .  vn}  C  V  (G)  and  E  = 
{{vi,v2},  {v2 ,  n3}, . . .  {v„_i,  vn},  { vn ,  Vi}}.  Clearly,  a  cycle  is  a  connected  regular  graph 
(or  subgraph)  of  degree  2.  Next,  we  give  a  formal  definition  of  equality  and  isomorphism 
in  graphs. 

Definition  4.2.1.  Two  graphs  G(Vg,  Eg)  and  H(Vh,  Eh)  are  equal  if 

Vq  =  Vh  and  EG  =  Ejj  . 

The  graphs  G  and  H  are  isomorphic  if  there  exists  a  bijection 

f-VG^  VH, 

such  that  for  any  vertices  u,  v  G  VG,  {u,  v}  e  EG  if  and  only  if  {/(«),  /(n)}  G  EH. 

Example  4.2.2.  Let  G\  be  the  graph  with  V (Gi)  =  (1,  2,  3, 4,  5}  and 
E(Gi )  =  {{1,  2},  {1, 3},  (2,  3},  (2, 4},  (3, 4},  (4,  5}}.  Sub-figure  (a)  of  Figure  4.1  repre¬ 
sents  a  drawing  of  G\.  The  graph  G\  is  not  regular,  since  deg(l)  =  2  and  deg( 2)  =  3. 
The  graphs  G\  and  G2  are  isomorphic  by  the  permutation  (1, 5) (2, 4).  The  graph  G3  is  K5 
and  clearly  strongly  regular.  The  graph  G4  on  the  sub-figure  (d)  is  the  cycle  [1,  2, 3, 4,  5,  6]. 
However,  it  is  not  strongly  regular,  since  the  vertices  1  and  3  have  one  common  neigh- 
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bor  2,  but  vertices  1  and  4  have  no  common  neighbor.  It  is  bipartite,  with  the  partition 

V,  =  {1,3,5}  and  V2  =  {2,4,6}. 


Figure  4. 1 :  Simple  Graphs 


4.2.2.  An  Example  of  Application  of  Graph  Theory  to  Cryptographic  Boolean 
Function 

There  have  been  many  attempts  to  establish  relationships  between  graph  theory  and 
Boolean  functions.  One  of  the  most  interesting  relationships  involves  affine  equivalence  of 
Boolean  functions  and  Cayley  graphs. 
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Definition  4.2.3.  [4,  p.  194]  Let  /  be  a  Boolean  function  of  n  variables.  The  Cayley  graph 
of  /,  denoted  by  Tf  =  (V,  E),  is  defined  by  V  =  F?  and 


E  =  {{n,  w}  |  v,  w  e  F£,  v  7^  w,  and  f(v  ©  w)  =  1}. 

In  [64],  Bernasconi  and  Codenotti  introduced  the  relationship  between  the  Cayley 
graph  representation  of  Boolean  functions  and  affine  equivalent  classes  of  four  variable 
Boolean  functions.  They  established  an  isomorphism  between  the  eight  affine  equivalent 
classes  of  the  4- variable  Boolean  functions  and  eight  classes  of  regular  graphs  with  16 
vertices.  Table  4.1  and  Figure  4.2  illustrate  their  findings.  They  observed  that,  as  the 
nonlinearity  increases  in  the  affine  equivalent  classes,  the  degree  and  connectivity  of  the 
matching  graphs  increase  as  well.  Notably,  Class  V  and  VI  graphs  are  degree  4-regular 
graphs,  but  Class  VI  graph  is  connected,  whereas  Class  V  is  disconnected.  A  supplemental 
analysis  of  the  relationship  and  other  related  materials  can  be  found  in  [4,  pp.  205-208]. 

4.3.  A  GRAPH  REPRESENTATION  OF  ROTATION-SYMMETRIC  BOOLEAN 
FUNCTIONS 

We  recall  that  an  MRS  function  has  a  cyclical  structure  in  its  algebraic  normal  form 
(ANF).  Adopting  this  feature,  we  attempt  to  represent  a  Boolean  function  with  a  graph 
with  a  similar  property.  We  observe  that  an  MRS  function  is  a  homogeneous  function 
where  each  multiplication  term  of  variables  can  be  represented  as  a  cycle.  For  example, 
the  MRS  Boolean  function  /(x)  =  xix2x3  ©  x2x3x4  ©  x3x4x5  ©  x4x5x6  ©  x5x6x4  © 
xQx  1  x2  of  six  variables  can  generate  six  cycles  on  vertices  1  through  6,  that  is  [1,2,3], 
[2,  3, 4],  [3, 4,  5],  [4, 5,  6], [5,  6, 1],  and  [6, 1,  2],  We  can  combine  them,  disregarding  multiple 
edges,  and  obtain  the  graph  represented  in  Figure  4.3.  We  note  that  the  graph  is  regular  but 
not  strongly  regular,  since  non-neighboring  vertices  1  and  3  have  the  common  neighbors 
vertices  2  and  5,  but  1  and  4  have  the  common  neighbors  2,  3,  5,  and  6. 

However,  this  construction  may  present  a  problem  with  the  ordering  of  variables. 
Consider  the  following  example. 
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Class 

Boolean  Function 

I 

0000000000000000 

II 

0000000000000001 

III 

0000000000000011 

IV 

0000000000000111 

V 

0000000000001111 

VI 

0000000000010111 

VII 

0000000100010111 

VIII 

0000001101011001 

Class 

Walsh  Spectrum 

I 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

II 

1 

-1 

-1 

1 

-1 

1 

1 

-1 

-1 

1 

1 

-1 

1 

-1 

-1 

1 

III 

2 

0 

-2 

0 

-2 

0 

2 

0 

-2 

0 

2 

0 

2 

0 

-2 

0 

IV 

3 

-1 

-1 

-1 

-3 

1 

1 

1 

-3 

1 

1 

1 

3 

-1 

-1 

-1 

V 

4 

0 

0 

0 

-4 

0 

0 

0 

-4 

0 

0 

0 

4 

0 

0 

0 

VI 

4 

-2 

-2 

0 

-2 

0 

0 

2 

-4 

2 

2 

0 

2 

0 

0 

-2 

VII 

5 

-3 

-3 

1 

-3 

1 

1 

1 

-3 

1 

1 

1 

1 

1 

1 

-3 

VIII 

6 

-2 

-2 

2 

-2 

-2 

2 

-2 

-2 

2 

-2 

-2 

-2 

2 

2 

2 

Table  4.1:  Affine  Equivalence  Classes  of  4-Variable  Boolean  Functions  From  [64] 


Example  4.3.1.  Fet  /  =  xiX2x^x4{SANF)  e  F|.  Algebraically,  xix2x3x4  =  x4x3x2x4. 

However,  they  generate  two  different  cycles  and  hence  two  different  graph  representations 
as  shown  in  Figure  4.4. 

This  indicates  that  the  cyclic  representation  of  MRS  is  sensitive  to  the  order  of 
variables.  In  order  to  obtain  a  consistent  graph  not  affected  by  this  ordering  problem,  we 
introduce  the  following  notion,  adding  an  order  property  to  the  definition  of  SANF. 

Definition  4.3.2.  Fet  /  be  an  MRS  function  of  n  variables  with  the  SANF  xn  xJ2  ■  ■  ■  xJd, 
where  1  <  d  <  n.  The  ordered  short  algebraic  normal  form  ( OSANF)  of  /,  denoted  by 
/  =  x\ xi2  ■  ■  ■  xid(OSANF)  or  /  =  •  •  •  xid\\  is  the  SANF  x^x^  ■  ■  ■  xld  such  that 

ii  —  1  and  1  =  i4  <  i2  <  ■  ■  ■  <  id- 

By  Definition  4.3.2,  our  scheme  generates  one  and  only  one  graph  for  each  MRS 
Boolean  function. 
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(a)  Class  I 

nnnn 

(c)  Class  III 


I  I  1  I  I  II  I 


(b)  Class  II 


fd)  Class  IV 


(f)  Class  VI 


Figure  4.2:  Cayley  Graph  Classes  of  4- Variable  Boolean  Function  From  [64] 


Definition  4.3.3.  A  cycle  combination  graph  (CCG)  of  an  n-variable  MRS  Boolean  func¬ 
tion  /(x)  =  x\xp2xp3 . . .  xpd(OSANF )  with  d  <  n,  denoted  by  Gf  is  a  simple  graph  with 
V  —  {1,  2, . . .  n}  and  the  edges  of  the  cycles, 


[1,  P2 1  P3,  ■  ■  ■  ,  Pd\ 

[2,  P2  +  1  mod  n,  P3  +  1  mod  n, . . . ,  Pd  +  1  mod  n],  and 

[n,  P2  +  n  —  1  mod  n,  P3  +  n  —  1  mod  n, . . . ,  +  n  —  1  mod  n,  ] , 
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4 

(a)  Cycle  1 


(b)  Cycles  1  and  2 


Figure  4.3:  A  Cycle  Combination  of  an  MRS  Boolean  Function 
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(a)  x\X2X^Xi{S AN F) 


(b)  X\X^,X2X^{S AN F) 


Figure  4.4:  Two  Graphs  Generated  by  the  Same  SANF 
regarding  multiple  edges  as  one  edge. 

Remark  4.3.4.  In  order  to  make  our  algebraic  operations  for  the  indices  work,  we  add  an 
additional  property  to  the  modular  arithmetic  in  this  chapter. 

We  set 


n  mod  n  —  0. 

This  gives  us  x0  =  xn,  and  we  use  the  notations  interchangeably. 

We  observe  that  two  Boolean  functions  in  Bn  form  a  relationship  with  respect  to 
the  CCG.  The  relationship  satisfies  reflexivity,  symmetry,  and  transitivity.  Therefore,  it  is 
an  equivalence  relation  and  partitions  the  Boolean  functions  of  n  variable  into  equivalence 
classes. 

Definition  4.3.5.  Two  MRS  functions  of  same  variables  /  and  h  are  cycle  combination 
graph  (CCG)  equivalent,  denoted  by  /  ~  h  if  Gf  is  isomorphic  to  Gh. 

MRS  functions  add  interesting  characteristics  to  the  structure  of  CCGs.  These  char¬ 
acteristics  originate  from  the  cycles  generated  by  shifting  variables.  Table  4.2  illustrates 
how  shifting  along  the  indices  of  the  variables  effect  the  cycles. 
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Rotation 

Vertex  Index  Shift 

Pi  =  1 

Pi 

P'3 

Pd 

2 

P2  +  1  mod  n 

P3  +  1  mod  n 

Pd  +  1  mod  77 

3 

P2  +  2  mod  n 

P3  +  2  mod  n 

Pd  +  2  mod  77 

m 

P2  +  m  —  1  mod  n 

P3  +  m  —  1  mod  n 

Pd  +  777  —  1  mod  77 

71—1 

P‘2  +  n  —  2  mod  n 

P3  +  n  —  2  mod  n 

Pd  +  77  —  2  mod  77 

n 

P-2  +  n  —  1  mod  n 

P3  +  77  —  1  mod  77 

Pd  +  77  —  1  mod  77 

Table  4.2:  Vertex  Structure  of  a  Cycle  Combination  Graph  of  a  MRS  Function 


In  order  to  analyze  what  happens  at  each  vertex,  we  measure  the  distance  from 
each  variable  in  the  monomial  term  to  xn.  Let  ki  be  the  distance  from  xpt  to  xn  defined  by 
k,  —  n  —  Pi.  Therefore,  we  have 


k\  =  n  —  1, 

k2  =  n  —  P2, 

kd  =  n  —  Pd. 

Additionally,  since  we  are  working  with  the  cycles  derived  from  the  variables  of  a  Boolean 
function  in  ANF,  we  can  measure  the  distance  between  the  vertices  in  the  following  manner. 
Let  rt  be  the  distance  between  xpi+1  and  xpi  defined  by  rt  =  Pi+ \  —  P*.  Then,  we  have 
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r  i  =  P2-P1, 

r2  =  P3—P2,  (4.1) 

I'd,  Pd+ 1  Pdi 


where  Pd+ 1  —  n  +  l. 

We  focus  on  vertex  1.  Vertex  1  connects  2d  times,  as  shown  in  Table  4.3. 


Shift 

Vertex  1  and  its  Neighbors  by  Shift 

0 

Pd 

Pi  =  1 

P2 

1 

Pi  +  k2  +  1  mod  n 

P2  +  k2  +  1  mod  n  —  1 

P3  +  k2  +  1  mod  n 

2 

P2  +  k:i  +  1  mod  n 

T-3  +  k:i  +  1  mod  n  —  1 

-P4  +  A;3  +  1  mod  n 

d-1 

Pd- 1  +  kd  +  1  mod  n 

Pd.  +  kd  +  1  mod  n  =  1 

Pi  +  kd  +  1  mod  n 

Table  4.3:  Vertex  1  and  its  Neighbors 


By  applying  the  descriptions  of  kt  and  r,  with  i  <  1  <  d,  we  see  that  a  set  of  edges 
on  vertex  Pi  =  1,  as  justified  below: 


(l,  l±n 

(mod  n) } 

(1,  l±  r2 

(mod  n) } 

(4.2) 

(1,1  ±rd 

(mod  n)}. 
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By  the  shifting  action  of  the  CCG  generation,  the  set  of  edges  replicates  on  each 
vertex,  depending  only  on  r/s.  Therefore,  by  an  inductive  argument,  we  can  generalize  the 
result  for  any  vertex.  Table  4.4  shows  the  neighbors  of  an  arbitrary  vertex  m. 


Shift 

Neighbors  of  Vertex  m 

0 

Pd  +  m  —  1  mod  n 

m 

P2  +  m  —  1  mod  n 

1 

Pi  +  k2  +  m  mod  n 

P2  +  k2  +  m  mod  n  =  m 

P3  +  k2  +  m  mod  n 

2 

P2  +  k 3  +  m  mod  n 

P3  +  k3  +  m  mod  n  =  m 

Pa  +  k:i  +  m  mod  n 

d-1 

Pd~ i  +  kc[  +  rn  mod  n 

Pd  +  kd  +  m  mod  n  =  m 

Pi  +  kd  +  m  mod  n 

Table  4.4:  2d  Neighbors  of  Arbitrary  Vertex  m 


Applying  the  same  argument  as  for  the  vertex  1,  we  obtain  the  following  neighbors 


{m,  m  ±  r  1 

(mod  n)}, 

{m,  m  ±  r 2 

(mod  n)}, 

(4.3) 

{m,  m  ±  rd 

(mod  n)}. 

This  generalization  suggests  that  the  CCGs  are  regular,  since  a  CCG  is  a  simple  graph. 

Theorem  4.3.6.  Let  f  be  an  MRS  function  ofn  variables  generated  by  x  \  xP2 . . .  xPd  ( OSANF ) 
and  Gf  be  the  CCG  of  f.  Then  Gj  is  regular. 

In  particular,  G  j  is 


{{l,l  ±  n 


(mod  n)}  1 1  <  i  <  d} 


- regular , 


where  r,  are  defined  as  in  Equation  4.1. 
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Proof.  By  Equation  4.3,  vertex  1  has  2d  many  edges,  counting  multiple  edges,  and  the 
cardinality  of 

{{1, 1  ±  rl  (mod  n )}  1 1  <  i  <  d} 

gives  us  the  number  of  edges  at  each  vertex,  counting  multiple  edges  as  one.  Also,  the 
degree  of  a  vertex  does  not  depend  on  the  vertex,  as  discussed.  Therefore,  the  claim  holds. 

□ 

Generally,  each  distinct  r,  adds  two  edges  to  a  vertex,  except  when  the  two  edges 
coincide  with  each  other.  We  see  that  the  exception  results  in  an  r-regular  graph,  where  r 
is  an  odd  number. 

Corollary  4.3.7.  Let  f  =  XiXP2 . . .  xPd(()SAN  F)  be  a  MRS  function  ofn  variables.  Then, 
Gf  is  t-regular  graph  where  t  =  2k\  —  l  for  some  k\  G  N  if  and  only  ifn  =  2k2for  some 
integer  /c2  £  N ,  and  there  exists  %  with  1  <  i  <d  such  that  rt  =  k2. 

Proof.  (4=)  In  line  with  Theorem  4.3.6,  for  an  arbitrary  vertex  m,  we  have  two  edges 
{m,  m  +  k2  mod  n}  and  {m,  m  —  /c2  mod  n}.  Since  n  =  2 /c2, 

m  +  k2  mod  n  —  m  —  k2  mod  n. 

Hence,  r%  =  k2  adds  one  edge  to  Gf.  Additionally,  any  r,  f  k2  adds  two  edges  to 
Gf.  Therefore,  G j  is  t -regular  graph  where  t  =  2k\  —  1  for  some  k \  e  N. 

(=>)  First,  we  claim  n  is  even.  Ifn  is  odd.  Theorem  4.3.6  implies  that  each  r,  adds 
two  distinct  edges  to  a  vertex.  This  contradicts  that  t  is  odd.  In  addition,  if  rt  f  k2  for  all 
i,  then  we  see  that  rf  s  add  two  edges  to  the  vertex,  which  makes  t  even,  a  contradiction. 
Therefore,  the  claim  holds.  □ 

Using  Table  4.2,  we  generate  some  possible  configurations  of  graphs  for  MRS  func¬ 
tions  in  Figure  4.5.  They  suggest  that  the  CCGs  for  the  functions  of  the  order  greater  than 
three  are  generated  by  the  union  of  CCGs  of  quadratic  functions.  However,  when  n  =  5,  the 
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□ 


■ 


□  □ 

(a)  n  =  2 


□ 


(b)  n  =  3 


Figure  4.5:  Isomorphic  Cycle  Combination  Graph  Classes  n  =  2  to  5 


CCG  K5  is  generated  by  two  cycles  [1,  2, 3, 4,  5]  and  [1,  3,  5,  2, 4],  which  are  the  CCGs  of 
Xlx2{OSANF)  and  X]X:>(()SAN F),  respectively,  and  they  are  isomorphic  to  each  other. 
This  shows  that  generating  quadratic  functions  may  be  isomorphic  in  their  CCGs.  Further¬ 
more,  Equation  4.3  suggests  that  we  get  a  pair  of  edges  from  a  quadratic  function,  which 
generates  the  CCG  by  shifting  n  times  through  the  vertices.  This  implies  that  the  space  of 
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CCGs  for  n  variable  Boolean  functions  can  be  generated  by  the  CCGs  of  quadratic  func¬ 
tions, 


XiX2(0 S AN F) ,  xix3(0 S AN F) , . . . ,  andaqrr^j  ( OSANF ). 

Therefore,  given  n  variable  MRS  Boolean  functions,  the  maximum  number  of  pos¬ 
sible  CCGs  is 


This  gives  us  the  following  lemma. 

Lemma  4.3.8.  Given  n  €  N,  the  maximum  number  of  CCGs  of  an  n-variable  MRS  is 
bounded  above  by  2  L  2  J . 

The  bound  in  Lemma  4.3.8  cannot  improve  to  equality,  since  we  have  cases  where 
some  unions  of  the  quadratic  CCGs  are  impossible  under  certain  conditions.  We  illustrate 
this  in  the  following  example. 

Example  4.3.9.  In  Figure  4.6,  the  sub-figures  (b)  through  (d)  form  a  basis  for  the  graph 
space  for  n  =  6,  which  generates  the  rest  of  the  CCG’s,  the  sub-figures  (e)  through  (g). 

We  note  that  the  configuration  in  Figure  4.7  is  not  a  possible  CCG.  The  graph  is  a 
combination  of  Gc  and  G,/  in  Figure  4.6.  Therefore,  we  have  to  use  the  edges  connecting 
two  numbers  apart  by  2  or  3.  This  implies  that  we  cannot  complete  a  cycle  in  Figure  4.7 
without  violating  the  order  structure  of  CCG.  In  other  words,  it  is  equivalent  to  a  partition 
on  six  identical  objects  with  parts  of  two  and  three  only,  which  is  impossible.  So  far,  we 
focused  on  the  fact  that  the  difference  between  the  indices  of  variables  generate  two  edges 
at  a  vertex  of  the  CCG.  We  note  that  we  just  need  one  of  the  two  edges,  and  so  we  can 
simplify  the  notion  with  the  next  definition. 

Definition  4.3.10.  Let  /  =  x1xP2xP3 . . .  xPd(OSANF).  Let  r,:  be  as  in  Equation  4.1. 

The  distance  set  of  /,  denoted  by  DS(f),  is  the  set 
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■ 


Figure  4.6:  Cycle  Combination  Graphs  n  =  6 


{cij|aj  =  min(rj,  n  —  r*),  1  <  i  <  cZ}  . 
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Figure  4.7:  An  Impossible  CCG  n  —  6 
We  call  a*  a  distance  element  of  /. 

It  is  clear  that  each  r,  generates,  at  most,  one  distance  element. 

Lemma  4.3.11.  Let  f  be  an  MRS  function  ofn  variables  whose  CCG  is  an  r-regular  graph. 
Then, 


\DS(f)\=  -  . 

Proof.  If  n  is  odd,  by  the  construction  of  CCG  and  Definition  4.3. 10,  each  distance  element 
generates  two  edges  for  a  vertex  of  Gf,  and  so 


\DS(f)\  =  r- 


However,  if  n  is  even,  we  consider  two  cases.  If  r  is  even,  by  the  construction  of  CCG  and 
Definition  4.3.10,  each  distance  element  generates  two  edges  for  a  vertex  of  Gf,  and  so 


\DS{f)\  =  r- 


If  r  is  odd,  by  Corollary  4.3.7,  we  know 


n 

2 


G  DS(f), 
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and  the  distance  element  —  generates  only  one  edge  (or  two  overlapping  edges)  while  each 
of  the  other  distance  elements  generates  two  edges.  So,  we  have, 

\DS(f)\=\r-  . 

□ 

One  of  the  characteristics  of  a  quadratic  MRS  function  /  is  that  \DS(f)\  =  1. 
However,  not  every  MRS  function  /  with  | DS(f)\  =  1  is  a  quadratic  function.  The  next 
lemma  addresses  the  case  where  a  CCG  of  a  quadratic  MRS  function  is  generated  by  a 
non-quadratic  function. 

Lemma  4.3.12.  Let  f  be  an  MRS  function  of  n  variable.  Then  there  exists  a  quadratic 
MRS  function  h  such  that 


if  and  only  if 


Gh  —  Gf 


f  =  xlXd(OSANF) 

for  some  2  <  d  <  n  or  some  non-quadratic  MRS  function  f  such  that 

\DS(f)\  =  l. 

Proof  (=>)  Assume  the  conclusion  is  not  true.  Then,  we  have  \DS(f)\  >  1.  Since 
\DS(f)\  >  1  generates  more  than  two  edges  at  a  vertex  of  Gf,  there  exists  no  quadratic 
MRS  function  h  such  that 


which  is  a  contradiction. 


Gh  —  Gf , 
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(<=)  If  /  =  XiXd(OSANF),  the  conclusion  is  immediate.  If  /  ^  xiXd(OSANF) 
and  DS(f)  =  { /c}  for  1  <  k  <  [fj,we  can  set 


h  =  XiXk(OSANF). 


Example  4.3.13.  Let  n  —  6,  and 


□ 


/,  =  Xl  x2(OSANF) 

f2  =  xix2x3x^x5xe  (OSANF) 

h\  =  x\x3{OSANF) 

h2  =  xiX3x5(OSANF). 

Clearly,  we  have 

I  DS(fi)\  =  \DS(f2)\  =  |  DS(h)\  =  |  DS{h2)\  =  1, 


Gh  ~  Gh 

and 


Ghi  ~  Gh2- 
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Lemma  4.3.14.  Let  f  =  x\XiXk(OSAN F)  be  a  cubic  MRS  function  ofn  variables.  Let  a, 
b,  and  c  be  distance  elements  ofxixfOSANF),  x\Xk-i+i(0  S  AN F),  and  x\ Xk(OSANF), 
respectively.  Then,  the  following  statements  are  true: 

(1)  If  a  f  b,  a  c,  and  b  c,  then 

Gf  =  G\\XlXi\\  U  G\\XlXk_i+1\\  U  (jyaijzrfcll  • 

(2)  If  a  f  b  and  b  —  c,  or  a  b  and  a  =  c,  then 

Gf  =  G\\XlXi\\  U  G||x1xfc_i+1||. 

(3)  If  a  =  b  and  b  f  c,  then 

Gf  =  G \\xlXi\\  U  G\\XlXk\\. 

(4)  If  a  =  b  =  c,  then 

Gf  =  G\\xlXi\\. 

Proof.  For  all  instances,  it  is  clear  that 

V(Gf)  =  V(Gm)  =  V(G|i[1M.wl,)  =  r(G|Nlln). 

So  we  focus  on  the  equality  of  the  edge  sets. 

(1)  Since  a  b,  a  f  c,  and  b  f  c,  an  arbitrary  vertex  m  has  the  edges 
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{m,  m  ±  a  (mod  n) } 


{m,  m±b  (mod  n)} 


{m,  m±c  (mod  n)}. 

Also,  each  distance  element  generates  a  unique  corresponding  edge  set.  We  have 


{{j,  j  +  a  (mod  n) } 1 1  <j<  n}  =  E(G\\XlXi\\) 

{{j,  J  +  b  (mod  n)}|l  <j<  n}  =  E(G\\xlXk_i+l] ,) 

{{j,  J  +  c  (mod  n) } 1 1  <  j  <  n}  =  E(G\\XlXk\\). 

Therefore, 

E(Gf)  =  E(G\\xlXi\\)  U  E(G\\xlXk_i+1\\)  GE{G\\xlXk^ 

and  the  claim  holds. 

(2)  Since  a  ^  b  and  b  =  c  (or  a  ^  b  and  a  =  c),  an  arbitrary  vertex  m  has  the  edges 

{m,  m  ±  o  (mod  n) } 

{m,  rn  ±  b  (mod  n)}, 
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Since  the  distance  elements  generate  the  following  edges, 


{{.?,  j  +  a  (mod  n) } 1 1  <j<  n}  =  E(G\\XlXi\\) 
{{j,  j  +  b  (mod  n) } 1 1  <  j  <  n}  =  E(G\\xlXk_i+1\\). 


Therefore, 


E(G,)  =  B(GN„,n)  U  S(G|| 

xia;fc_i+i||)) 

and  the  claim  holds. 

(3)  The  proof  is  similar  to  the  one  for  (2). 

(4)  Since  a  =  b  =  c,  an  arbitrary  vertex  m  has  the  edges 


{m,  m  ±  a  (mod  n)  }. 

The  distance  element  generates  the  following  edges 


{{j,  j  +  «  (mod  n) } 1 1  <j<  n}  =  E(G\\XlXi\\). 


Therefore, 


E(Gf)  ~  E(G ||xixi||)) 


and  the  claim  holds. 


□ 
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When  we  create  another  MRS  by  adding  another  variable,  we  can  increase  the  car¬ 
dinality  of  the  distance  set  by  at  most  two.  Using  this,  we  further  generalize  the  idea  of 
Lemma  4.3.14. 

Lemma  4.3.15.  Let  f  =  x\ XiXj(OSANF)  and  h  =  x\XiXjXk(OSANF)  be  MRS  func¬ 
tions  of  n  variable.  Let  a,  b,  and  c  be  distance  elements  of  x \  Xj  (OSANF),  x\Xk~j+i  ( OSANF ), 
and  X\Xi;(OSAN  F),  respectively.  Then,  the  following  statements  are  true: 

(l)IfDS(h)  =  DS(f),  then 


Gh  —  Gf 

(2)  If\DS(h)\  =  \DS(f)\  +  1,  and  a  is  a  redundant  distance  element  of  f,  then, 


b  =  c 


and 


Gh  —  Gf  U  G||xia;fe||- 

(3)  If\DS(h)  \  =  \DS(f)\  +  1  and  a  is  not  a  redundant  distance  element  of  f, 


b  c 

and 


Gh-  Gf  U  G ||3.l3.fe_.+1||  U  G\\XlXk\\  -  G ||a.lXj.||. 

(4)  If\DS(h)  \  =  | DS(f)  \  +  2,  a  is  a  redundant  distance  element  of  f, 


bfc, 

and 
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Gh  —  Gf  U  G||xlXfc_J+l||  U  G\\XlXk\\  G \\Xlxj\\- 

Proof.  For  all  instances,  the  function  h  is  obtained  by  removing  the  distance  element  a  and 
adding  the  distance  elements  b  and  c.  We  can  construct  Gh  from  Gf,  tracking  the  changes 
from  DS(f )  to  DS(h).  Clearly, 

V(Gf)  =  V(Gh). 

We  also  have  a  general  construction  of  the  edge  set  of  Gh. 

E(Gh)  =  E(Gf )  U  E(Gl{xiXk_j+ill)  U  E{G\\XlXk\\)  -  E{G\\XlXj\\). 

(1)  Since  DS(h )  =  DS(f),  we  have 

and 

Therefore, 

E(Gf)  =  E(Gh). 

(2)  Since  a  is  a  redundant  distance  element  of  /, 

B(G/)  =  B(G/)-S(G||llIJ,). 

Since  \DS(h)\  =  \DS(f)\  +  1  ,b  =  c,  or  equivalently 
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E(G\\xlXk_j+1\\)  -  E(G\\Xixk\\)- 

Therefore, 

Gh  =  Gf  U  G||XiXfc|| . 

(3)  Since  a  is  not  a  redundant  distance  element  of  /, 

E(Gf)DE(G,)-E(GlxixA). 

Additionally,  \DS(h)\  =  \DS(f)\  +  1.  So,  we  have  to  have  b  f  c.  Therefore, 

E(Gh)  =  E(Gf)  -  E(G\\xlXj\\)  U  E(GllxiXk_j+4)  U  E{G\\xlXk\\). 

(4)  If  a  is  not  a  redundant  distance  element,  or  b  ^  c  ,  we  have  DS(h )  =  DS(f )  + 1 
at  most,  which  is  a  contradiction.  Clearly, 

E(G„)  =  E(Gf)  -  E(G,xmll)  U£(G||xi^_.+i||)  UU(CW), 

and  the  claim  follows.  □ 

We  extend  Lemma  4.3.15  to  the  next  theorem,  whose  proof  is  omitted,  since  it  is 
somewhat  similar. 

Theorem  4.3.16.  Let  f  =  xixi2xi3  ■  ■  ■  x^k^i)Xik  ( OSANF )  and  h  =  xixi2xi3  ■  ■  ■  xikx^k+i) 
(■ OSANF )  be  MRS  functions  of  n  variables.  Let  a,  b,  and  c  be  distance  elements  of 
Xlxik(OSANF),  xiXi(k+i)-ik+i{OSANF),  and  xix^k+i)(OSANF),  respectively.  Then, 
the  following  statements  are  true: 

(l)IfDS(h)  =  DS(f),  then 

Gh  —  Gf. 
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(2)  If\DS(h)\  =  \DS(f)\  +  1,  and  a  is  a  redundant  distance  element  of  f,  then, 


b  =  c 


and 


Gh  —  Gf  U  G\ 


(3)  If\DS(h)\  =  \DS(f)\  +  1  and  a  is  not  a  redundant  distance  element  of  f, 


bfc 


and 


Gh  —  GfU  G\\  ||  U  Gn  ||  —  G,||:ri:rife|| 

J  1 1  xfxi(k+l)  —  %k+l  1 1  1 1  xlxi(k-\-l)  1 1  11  lK'' 


(4)  If  |  DSih)  =  l)S(  f  )  +  2,  then  a  is  a  redundant  distance  element  of  f, 


bfc, 

and 


|  J  +  ifc+1  | 


The  following  theorems  can  be  proved  by  fundamental  number-  and  graph-theoretic 
techniques. 


Theorem  4.3.17.  Let  f  be  an  MRS  function  of  n  variables.  If  Gf  is  disconnected,  then 
1  DS(  f  ),  and  every  element  in  DSi  f  )  divides  n. 

Proof  We  prove  this  by  contradiction.  First,  if  1  e  DS(f),  Gf  clearly  contains  the  cycle 
[1,  2, ... ,  n] .  Therefore,  it  is  connected,  which  is  a  contradiction.  Also,  if  there  exists  a 
distance  element  a  of  f  such  that  a  \  n,  a  is  a  generator  of  the  group  Zn  with  respect  to 
addition  modulo  n.  And,  we  see  that  the  following  set  of  edges  form  Cn: 
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{{1, 1  +  a},  {1  +  a,  1  +  2a  mod  n}, . . .  {1  +  (n  —  l)a  mod  n,  1  +  na  mod  n}} 


=  {{1, 1  +  a},  {1  +  a,  1  +  2a  mod  n}, . . .  {1  +  (n  —  l)a  mod  n,  1}}. 

This  contradicts  the  fact  that  Gf  is  disconnected,  since  Cn  e  Gf  implies  Gf  is  connected. 

□ 


Figure  4.8:  CCG  of  /  =  Xlx3x6x9(OSANF) 

The  converse  of  the  previous  theorem  does  not  hold,  since  there  are  instances  where 
we  can  form  a  connected  CCG  with  the  nonzero  distance  elements  that  divide  n.  For 
example,  let  n  =  12.  Then,  /  =  xiX3x6x9(OSANF)  has  1  ^  DS(f)  =  {2,3,4}  and 
2 1 12,  3 1 12  and  4|  12.  However,  Gf  is  connected,  as  seen  on  Figure  4.8.  Next,  we  present  a 
case  where  a  CCG  happens  to  be  a  complete  graph. 

Theorem  4.3.18.  Let  f  be  an  MRS  function  of  n  variables.  Then,  Gf  is  complete  if  and 
only  if  DS(f)  =  {1,2,...,  [|J  }. 

Proof  (=>)  Since  Gj  is  regular,  we  make  a  case  for  the  vertex  1.  Since  Gj  is  complete, 
vertex  1  is  incident  to  the  set  of  edges  edges 
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{{!)  2},  {1,  3}, —  ,  {1,  n}}. 


By  Definition  4.3.10, 


DS(f )  =  {min(2  —  1,  n  —  1  —  2),  min(3  —  1,  n  —  1  —  3), . . .  min(n  —  1,  n  —  n  +  1)} 


{1,2,..., 


}• 


(4=)  By  definition  4.3.10,  the  vertex  1  has  a  set  of  edges 


{1, 1  ±  1  mod  n},  {1, 1  ±  2  mod  n}, .,{1.1  + 


} 


=  {{l,l},{l,2},...,{l,n}}. 


□ 

Corollary  4.3.19.  Let  f  be  an  MRS  function  of  n  variables.  If  Gf  =  Kn,  then  deg (/)  > 

LlJ- 

Proof  By  Theorem  4.3.18,  \DS(f)\  =  [|J  .  Therefore,  /  needs  at  least  [|J  variables  in 
its  OSANF.  □ 


97 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


98 


5.  TWO  CONSTRUCTIONS  OF  BOOLEAN  FUNCTIONS  WITH 
GOOD  CRYPTOGRAPHIC  PROPERTIES 

5.1.  INTRODUCTION 

The  two  key  factors  in  designing  cryptographic  Boolean  functions  are  security  and 
speed.  We  achieve  security  by  having  good  measures  in  as  many  cryptographic  properties 
as  possible  for  the  Boolean  functions  in  a  cipher,  such  as  balancedness  to  resist  statistical 
attacks,  high  nonlinearity  to  address  linear  cryptanalysis,  high  algebraic  degree  against  al¬ 
gebraic  attacks,  correlation  immunity  and  resilience  to  deal  with  correlation  attacks,  and 
algebraic  immunity  to  resist  (fast)  algebraic  attacks.  Speed  is  another  important  aspect, 
since  we  desire  fast  encryption  and  decryption.  For  example,  the  Carlet-Feng  function  has 
good  cryptographic  properties,  but  compared  to  other  functions,  it  is  not  simple  to  gener¬ 
ate  or  implement.  This  may  cause  certain  ciphers  to  underperform.  Security  and  speed 
often  conflict  with  each  other,  since  higher  security  usually  implies  slower  speed.  Here 
we  present  two  constructions  for  good  cryptographic  Boolean  functions,  using  a  crypto¬ 
graphically  strong  base  function,  and  three  simple  Boolean  operations,  namely  affine  trans¬ 
formation,  concatenation,  and  complementation.  One  of  the  significant  benefits  from  this 
construction  is  the  flexibility  to  choose  a  base  function  with  customizable  cryptographic 
properties.  We  achieve  security  from  the  inherent  qualities  of  the  base  function  and  ob¬ 
tain  speed  by  the  simple  Boolean  operations.  In  Chapter  6,  we  give  applications  for  our 
constructions.  This  chapter  is  based  on  Chung,  Stanica,  Tan,  and  Wang  [27]. 

5.2.  CONSTRUCTION  TECHNIQUES  OF  CRYPTOGRAPHIC  BOOLEAN  FUNC¬ 
TIONS 

In  this  section,  we  review  fundamental  construction  techniques  for  cryptographic 
Boolean  functions. 
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5.2.1. 


Concatenation 


Given  two  base  Boolean  functions  of  /  and  g,  both  belonging  to  Bn,  we  can  con¬ 
struct  another  Boolean  function,  h  e  Bn+1,  by  concatenating  their  truth  tables.  We  note 
that  since  the  new  function  has  to  have  2n+1  elements  in  its  truth  table,  the  two  functions 
concatenated  must  have  the  same  number  of  variables  or  be  the  same  length.  To  illustrate 
this  point,  if  h  =  f  ||  g,  h  e  Bk,  f  €  Bk  1,  and  Bki  with  kl ,  k2  G  N  and  kl  f  k2,  we 
have  2k  =  2kl  +  2k2  =  2fcl(l  +  2kl~k2).  This  implies  2k  has  an  odd  factor,  which  is  a 
contradiction.  Therefore,  we  provide  the  following  preposition. 

Proposition  5.2.1.  Let  f  and  g  be  two  Boolean  functions.  If  h  —  f  ||  g,  then  f  and  g  have 
the  same  number  of  variables. 

Concatenating  two  Boolean  functions  introduces  a  new  variable  to  the  ANF  of  the 
concatenated  function.  The  following  useful  lemma  illustrates  how  we  can  obtain  the  ANF 
of  the  new  function  from  the  ANFs  of  the  base  functions. 

Lemma  5.2.2.  Let  /,  g  G  Bn_\.  Ifh  —  f  ||  g  with  h  G  Bn,  then 

h{x)  =  (xn  ©  l)/(xn_i)  ©  xng(x.n_i), 
where  x„_i  =  (xi,  x2,  ■  ■ . ,  x„_i)  and  x  =  (xi,  x2, .  -  > xn). 

Example  5.2.3.  We  illustrate  Lemma  5.2.2  with  two  functions  /  and  g  on  Table  5.1.  We 
can  convert  the  truth  tables  to  ANFs  as  below. 

/(x)  =  Xi  ©  X2  ©  x3  ©  XiX3  ©  X2X3  ©  XiX2X3 

g(x)  =  1  ©  x3  ©  x3  ©  xix2  ©  x2x3  ©  x3x2x3 

We  confirm  the  following  equation  of  ANFs  of  the  functions  using  Lemma  5.2.2 
and  Table  5.2. 
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2:3 

2:2 

2T 

/(x) 

s(x) 

0 

0 

0 

0 

1 

0 

0 

1 

1 

0 

0 

1 

0 

1 

1 

0 

1 

1 

0 

1 

1 

0 

0 

1 

0 

1 

0 

1 

1 

1 

1 

1 

0 

1 

1 

1 

1 

1 

0 

0 

Table  5.1:  Truth  Table  of  /  and  g 


h(x)  =  ( x4  ©  l)/(xn_i)  ©  X4g(Xn- 1) 


=  Xi  ©  X2  ©  x3  ©  X4  ©  X1X3  ©  X2X3  ©  X2X4  ©  X1X2X3  ©  XiX2X4  ©  X1X3X4 


X4 

2:3 

2:2 

Xi 

Mx) 

x4 

2:3 

2:2 

X\ 

Mx) 

0 

0 

0 

0 

0 

1 

0 

0 

0 

1 

0 

0 

0 

1 

1 

1 

0 

0 

1 

0 

0 

0 

1 

0 

1 

1 

0 

1 

0 

1 

0 

0 

1 

1 

0 

1 

0 

1 

1 

1 

0 

1 

0 

0 

1 

1 

1 

0 

0 

0 

0 

1 

0 

1 

1 

1 

1 

0 

1 

1 

0 

1 

1 

0 

1 

1 

1 

1 

0 

1 

0 

1 

1 

1 

0 

1 

1 

1 

1 

0 

Table  5.2:  Truth  Table  of  h ,  =  /  ||  g 


The  following  theorem  by  Siegenthaler  shows  that  a  technique  as  simple  as  con¬ 
catenation  can  be  used  to  preserve  certain  cryptographic  properties. 

Theorem  5.2.4.  [23]  If  Boolean  functions  f.  g  e  Bn  have  correlation  immunity  of  order 
k,  then  h  —  f  ||  g  has  correlation  immunity  of  order  k. 
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5.2.2. 


Kronecker  Product 


The  Kronecker  product  is  a  matrix  operation  that  takes  two  matrices  of  arbitrary 
size  and  outputs  a  block  matrix. 

Definition  5.2.5.  Given  A  =  {<%},  an  rn  x  n  matrix  and  B  =  {brs},  a  p  x  q  matrix.  The 
Kronecker  product  of  A  and  B,  denoted  by  A  ®  B  is  an  rnp  x  nq  matrix, 


A®  B 


anB  •  • 

d\nB 

QJmnB 

aii6n 

Ciinbiq 

Q"mlbpl 

Q'mnbpq 

The  Kronecker  product  can  be  used  to  generate  a  higher-dimensional  bent  functions 
from  a  base  bent  function. 


Theorem  5.2.6.  [67]  Let  a  Ak-dimensional  column  vector  x  represent  the  truth  table  of  a 
bent  function  with  k  —  1,2, -  Then, 


z  =  x®x 

is  a  bent  function  expressed  in  a  16/c2  -dimensioned  column  vector. 

In  another  example,  the  Kronecker  product  is  a  key  concept  to  prove  the  following 
theorem,  which  addresses  a  construction  of  bent  function. 

Theorem  5.2.7.  [67]  Let  two  Boolean  functions  f  and  g  such  that  f  :  F£  — »  F2  and  g  : 
F™  — y  F2.  Then  the  Boolean  function  h  :  — )>  F2,  defined  by  h( z)  =  /(x)  ©  g{ y) 

with  z  =  x||y  is  bent  if  and  only  if  f  and  g  are  bent. 
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This  theorem  shows  how  a  Boolean  function  of  2k  variables,  /(x)  =  XiX2(Bx3x4(B 
•  •  •  ©  X2k-i%2k  with  k  >  1  is  bent.  The  direct-sum  method  is  a  key  component  of  various 
bent  function  constructions  including  the  constructions  of  Maiorana  and  McFarland  [68], 
[69],  and  Carlet  [70],  [71],  and  Canteaut  et  al.  [30]. 

5.2.3.  Affine  Operations 

We  can  integrate  various  operations  that  are  conceptually  linear  to  a  construction 
method  to  have  significant  effects.  For  example,  linear  transformation  of  variables,  com- 
plemetation  of  domain  or  function  values,  and  adding  polynomials  are  frequently  used  for 
construction  and  analysis. 

Example  5.2.8.  If  a  Boolean  function  /  is  bent,  then  /  ©  l  is  bent  for  any  affine  function 
l  [4,  p.  83].  Let  A  be  an  n  x  n  invertible  matrix  over  F2  and  v  e  FJ/  If  a  Boolean 
function  /  of  n  variables  is  bent,  then  g(x)  =  /(Ax  ©  v)  is  bent  [4,  p.  84].  Therefore, 
/r(x)  =  /(Ax  ©  v)  ©  l  is  bent  as  well. 

5.3.  TWO  CONSTRUCTIONS  TO  ADDRESS  SECURITY  AND  SPEED 

We  introduce  two  constructions  [27]  based  on  functions  /,  e  £>„_ 2  where  i  = 

1,2,.... 

Construction  1. 

For  {i,  /}  =  {1,  2},  we  define  the  functions  on  F^: 


fi  II  fi  II  fi  II  fj'i  fi  II  fi  II  fi  II  U  II  fj  II  fi  II  fj'i  fi  II  fi 


fi  II  fj  II  fj  II  h  fi  II  fj  II  L  II  fi ;  fi  II  fj  II  fj  II  fi ;  fi  II  fj 


fi  II  fj'i 

fj  II  .re¬ 


construction  2. 
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For  {i,  j}  —  {1,  2},  we  define  the  functions  on  F£: 


/.  II  fi  II  f<  II  Sr  /.  II  fi  II  fj  II  /,;  Si  II  Si  II  Si  II  Sr,  Si  II  t,  II  f,  II 


We  observe  that  some  functions  in  the  constructions  are  affine  equivalent  to  each 
other.  For  example,  given  two  functions  u  and  v  of  n  —  1  variables  with  x  e  , 


(u  ||  n)(x)  =  {xn  ©  l)u  ©  xn(v  ©  1) 

=  (xn  ©  1  )u  ©  xnv  ©  xn 

=  (u  II  n)(x)  ©  xn 

by  Definition  3.2.1.  Therefore, 

u  ||  v  ~  u  ||  v. 

Also, 


(u  ||  u)(x)  =  ((u||«)(x©(0,...,0,l)) 

due  to  the  lexicographical  order  of  domain.  So  we  have 

u  ||  v  ~  v  ||  u, 

where  ~  signifies  affine  equivalence. 
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By  setting  u  =  /,;  ||  f)  and  v  =  f%  ||  fjt  it  is  clear  that  u  ||  v  =  ft  ||  f)  ||  ./■  ||  fj 
is  affine  equivalent  to  m  ||  fi  =  f,  ||  f:j  ||  f,  ||  fj.  By  similar  arguments,  we  have  for 
Construction  1, 


and 


fi  II  fj  II  fi  II  fj 


fi\\fj\\fi\\fj  - 


fi  II  fj  II  fi  II  fj 


{  fi  II  fj  II  fill  fj 


/ill/ill/ill/i  ~  { 


fi  II  fj  II  fj  II  fi 

fi  II  fj  II  fj  II  fi  • 

fi  II  fj  II  fj  II  fi 


For  Construction  2, 


fi  II  fj  II  fi  II  fj  =  fi  II  fj  II  fi  II  fj  ©  1 


and 
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Therefore,  we  have 


fi\\  /,  ii  fi  ii  h  ~  /iiiAii/iii/i 


and 


fi  II  fj  II  fj  II  fi  ~  fi  II  fj  II  fj  II  U 

There  have  been  some  constructions  which  use  some  components  of  our  construc¬ 
tions.  For  example,  the  bentness,  the  resiliency,  and  the  normality  properties  of  concate¬ 
nated  bent  functions  were  considered  in  [72,  73].  The  normality  of  fi  ||  f2  ||  fi  ||  fi 
for  arbitrary  function  fi  with  i  =  1,2  is  mentioned  in  [74].  Our  constructions  address 
the  instance  where  ff  s  are  affine  equivalent  to  each  other,  and  we  cover  other  configura¬ 
tions.  Moreover,  we  explore  more  than  the  normality  of  the  functions.  /  €  Bn  satisfies 
the  high  degree  product  (HDP)  of  order  n  if,  for  any  non- annihilating  function  g  of  degree 
1  <  e  <  \n/ 2]  —  1,  the  degree  d  =  deg (gf)  satisfies  e  +  d  >  n  [75].  In  [75],  Pasalic 
introduced  a  concatenation  of  four  functions  which  requires  each  function  to  have  maxi¬ 
mum  algebraic  immunity,  to  show  that  the  notion  of  HDP  can  measure  resistance  to  fast 
algebraic  attacks. 

Remark  5.3.1.  In  [76],  Wang  et  al.  demonstrated  that  the  construction  based  on  a  four- 
function  concatenation  in  [75]  does  not  always  produce  HDP  function. 


5.4. 


CRYPTOGRAPHIC  PROPERTIES  OF  THE  TWO  CONSTRUCTIONS 


We  start  with  algebraic  immunity  and  nonlinearity.  To  set  the  stage  for  these  prop¬ 
erties,  we  take  a  look  at  the  Walsh-Hadamard  transform  of  the  functions.  The  relationship 
between  Walsh-Hadamard  transform  and  the  function  formed  by  concatenating  two  or  four 
functions  of  the  same  variables  are  well  known.  We  generalize  the  relationship  and  present 
the  next  lemma,  which  describes  the  Walsh-Hadamard  coefficients  of  g  (in  some  dimen¬ 
sion)  to  the  Walsh-Hadamard  coefficients  of  its  2~k  (k  >  1)  concatenated  parts. 

27- 

Lemma  5.4.1.  [27]  If  g(x,  xn+i, . .  .,xn+r)  =  /i(x)||/2(x)||  •  •  •  ||  f2r(x)  =  ||  /;(x),  then 

i=  1 

^ 9 ^n+l?  •  •  •  j  ^n+r) 


=  Wfl(  u)  +  (  —  l)Un+1Wf2(u)  +  •  •  •  +  (-1)^+ l+-+Un+rWf2r(u) 


=  ^(_i).w-uVa(u)! 

k=  1 

where  r  G  N,  a {k)  is  the  kth  lexicographically  ordered  vector  in  FI],  and  u'  =  {un+ 1, . . . ,  un+r). 
Proof  We  show  our  result  by  induction  on  r.  If  r  =  1, 


Wg(U,Un+1)  = 


(x,a;n+i)eF2 


x,xn+l)+u-x+u„+ia;n+i 


(-i)9i(x)+u-x + (-i)u"+i  (-1) 


g2(x)+ u-x 


xeR 


xeFS 


=  W«(u)  +  (-l)""*'WUu). 


For  the  induction  hypothesis,  we  assume, 
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for 


2r 

w,(  u,  u„+i, ....  »„+,)  =  "'w»), 

k= 1 

c/"(x,xn+i,...,xn+r+i)  =  /i(x) ||/2(x) ||  •••  ||/2r+l(x)  =  #||e/  =  ||  /i(x), 

i=l 

where  (7'  =  /2-+i  (x)  1 1  /2-+2  (x)  1 1  •  •  •  ||/2r+i(x). 

Then,  we  have 

W7 Tg"  (u,  Un-\-\ ,  .  .  .  ,  Un- |-r+l ) 

=  Wg( U,  U„+1,  .  .  .  ,  Un+r)  +  (-l)U"+r+W9/(u,  Mn+1,  .  .  .  ,  Un+r) 

=  Wh( u)  +  (-l)“»«H->2(u)  +  . . .  +  (-!)«-«+ ■+«-+-« IVV+,  (u) 

2r+i 

fc=l 

which  shows  our  result.  □ 

The  next  lemma  shows  what  happens  to  algebraic  immunity  when  XORing  two 
functions. 

Lemma  5.4.2.  [77,  Lemma  1]  For  any  f  G  Bn  and  any  l  G  An, 

AI(f)  —  1  <  AI(f  ©  /)  <  AI(f)  +  1. 

In  general,  for  any  f  G  Bn  and  any  function  h  G  Bn  with  deg  (h)  =  k, 
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AI(f)  —  k  <  AI(f  ©  h)  <  AI(f)  +  k. 

The  next  lemma  shows  how  algebraic  immunity  behaves  when  concatenating  two 
functions. 

Lemma  5.4.3.  [77,  Proposition  1]  Let  g\,  g2  be  two  Boolean  functions  in  the  variables 
x1,...,xn  with  AI{gf)  =  dx,  AI(g2 )  =  d2,  and  let  g  —  (1  ©  xn+i)gx  ®  xn+i  g2  e  Bn+1. 
Then,  the  following  hold: 

Ifdi  f  d2,  then  AI(g )  =  min{di ,  d2}  +  1. 

If  d\  —  d2(—:  d),  then  d  <  AI(g)  <  d  +  1.  Further,  AI(g )  =  d  if  and  only  if 
there  exists  fi,  f2  £  Bn  of  algebraic  degrees  d  that  either  both  annihilate  g\ ,  g2,  or  both 
annihilate  g\ ,  g2,  and  deg(/i  ©  f2)  <  d  —  1. 

For  our  next  result,  we  let  f\  e  Bn- 2  in  Construction  1  and  2  be  any  balanced 
function  and  /2(x)  =  f\  (/lx  ©  b),  where  A  is  an  (n  —  2)  by  (n  —  2)  invertible  matrix  over 
F2  and  b  is  an  (n  —  2)  dimensional  vector  over  F2.  We  note  that,  since  /i  and  f2  are  affine 
equivalent,  we  have  deg(/i)  =  deg(/2),  AI(fi)  =  AI(f2)  and  n/(/i)  =  nl(f2). 

Theorem  5.4.4.  [27]  Let  f  G  Bn  be  given  by  Constructions  1  or  2.  fi,  f2  e  Bn_2  are 
nonconstant  and  affine  equivalent.  Then,  f  is  bcdanced. 

deg (/)  =  max { deg (/i),  deg(/i  ©  f2)  +  1}, 

and 


AI(f)  >  min{AZ’(/1||/2),  AI(fi\\f2)}  >  AI{fx). 


Moreover, 


nl(f)  —  2n_2  +  2nl(fi), 


for  functions  in  Construction  1,  and 
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nl(f)  =  4  rd{fi), 


for  functions  in  Construction  2. 

Proof.  We  prove  the  result  for  Constuction  1  for  two  cases,  since  the  others  are  similar. 
First,  let  /  =  /i  \  \  f2  \  \  fi  \  \  f2  ■  We  observe  that 

/  =  (xn  ©  l)(/i  ||  /2)  ©  x„  (/i  ||  /2) 

=  (. xn  ©  l)((xn-i  ©  l)/i  ©  Xn-if2) 

©•t'n ( {.Xn—1  ©  l)/l  ©  ^n-l(/2  ©  1)) 

=  Xn_i/i  ©  fl  ©  Xn-1  f2  ©  XnXn-i 

=  (fl  II  fi)  ©Vn-1- 

Since  fi  and  f2  are  nonconstant, 


deg(jf)  =  deg(/i|  |/2) 

=  max{deg(/i),  deg(/i  ©  /2)  +  1}. 

Since 

(/i  |  |/2)(x„_i)  =  (/i||/2)(xn_1)  ©x„_i, 
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where  xn_i  =  (xi,x2,  ■  ■  ■ ,  xn_i),  by  Lemma  5.4.2, 


\AI{h\\f2)  -  AI{h\\f2)\  <1. 


So,  we  check  two  possibilities. 

If  AT(/i||/2)  =  AJ(/i||/2),by  Lemma  5.4.3 


AI(/)>AI(/1||/2)>A/(/1). 

If  |AT(/i||/2)  —  t4/(/i||/2)|  =  1,  then  Lemma  5.4.3  shows  that 

AI(f )  =  min{<i,  d+l}  +  l  =  d  +  l, 

where  min{  AT (/i  1 1  /2) ,  AJ(/1 1 1  /2) }  =  rf. 

Second,  let  /  =  /i  1 1  f2  \  |  /2 1 1  /i .  Then, 


/  =  (xn  ®  l)(/i  ||  f2)  ©  xn(f2  ||  /l) 


=  Xn-if i  ©  /i  ©  xn_if2  ©  xnfx  ©  xnf2  © 


=  (/l  II  /2)  ©  2©(/l  ©  h  ©  Xn- 1). 


So,  we  have 


deg(/)  =  deg(/1||/2) 


=  max{deg(/i),  deg(/i  ©  f2)  +  1}. 


Ill 


The  algebraic  immunity  computation  does  not  change  in  this  case. 

To  find  the  nonlinearity,  we  consider  only  /  =  /i  1 1/2 1  |/i  1 1/2  of  Construction  1  since 
the  proofs  for  the  other  cases  are  similar.  Using  Lemma  5.4.1,  we  obtain 

Wf{u,  un^un)  =  Wfl(u)  +  (-l)“»-W/2(u) 

+(-l)UnWfl(u)  +  (—l)Un~1+UnW f2(u) 

=  (1  +  (-1)“")  Wfl( u)  +  (— l)""-1  (1  -  (-1)“")  Wh( u). 

Thus,  W/(u,  Mn_i,  0)  =  21U/1(u)  and  W/(u,  Mn-i,  1)  =  2(—l)Un~1Wf2(u).  It  follows  that 

max  \Wf(u,un-i,un)\  =  2  max  | Wy, (u) |  =  2n_1  -4n/(/i)). 

(u,«rl_i,uri)eF^  ueF2-2 

Therefore, 

n/(/)  =  2"-2  +  2n/(/1). 

Next,  we  take  two  cases  of  Construction  2,  as  they  are  slightly  different.  The  other 
cases  are  similar  to  these. 

Case  1.  Let  /  =  A 1 1 /2|  |A  1 1/2-  As  above, 

W/tu,  «„-!,«„)  =  IU/l(u)  +  (— l)--W/2(u) 

+(-l)u"W/l(u)  +  (— l)Un-1+UriIUj2(u) 

=  (1  -  (-1)“")  Wh(u)  +  (-l)"-1  (1  -  (-l)u")  Wf2 (u) 

=  (1  -  MD  {Wh{ u)  +  (-l)u-W/2(u)) . 
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Case  2.  Let  /  =  AH  f2 | |/2 1 1 /i-  Then, 


Wf(u,un_uur)  =  Wfl(n)  +  (-l)u^Wh(u) 


+(-!)“"  Wf2(n)  +  (-l)u"-1+“"iy7l(u) 


=  (1  -  (-l)“"-1+u")  Wfl( u)  +  (-1)“-!  (1  -  (-l)u"-1+u™)  W>2(u) 


=  (1  -  (— 1)M"+Un_1)  (WX(u)  +  (-l)“-W/2(u)) 


Regardless  of  the  case,  we  see  that  for  Construction  2,  we  have 


max  \Wf(u,un-i,un)\ 

(u,«„-i,un)eiFj 


=  4  max  | Wfl(n)\ 


ueF? 


=  2n  —  8nl(fi)), 


which  renders 


nl(f)  =  4  nl{h 


□ 


We  note  that  the  nonlinearity  in  Construction  1  is  much  better  than  that  of  Con¬ 
struction  2  with  n  >  3.  It  is  attributed  to  the  following  reasoning.  Since  f\  e  £>n_ 2, 


n, 


Kfi)  <  2"-3  -  2n/2~2  <  2n~3. 


Therefore, 

nl(f)=2n~2  +  2nl(f1)>4nl(f1). 

As  for  the  algebraic  immunity,  in  most  cases,  deg(/i  (xA  ©  b)  ©  fi)  =  deg(/i).  That  is, 
deg (/)  =  deg(/i)  +  1.  By  Lemma  5.4.3,  it  is  usually  the  case  that 
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AI(f1\\f2)  =  AI{f1)  +  l. 


That  is, 


AI(f)  >  AI(fi)  +  1. 

Also,  we  note  nl(f)  is  much  better  than  nl(fi).  Additionally,  the  fast  correlation  attack  on 
/  has  an  on-line  complexity  proportional  to  Q)2  where  e(f)  —  pp  —  \  is  the  the  bias  of 
nonlinearity  [20] .  The  bias  for  Construction  1  is 


e(/) 


nl(f)  _  1 

2n  2 


1  _  wf(/i)  _  1 

4  2n~1  2 


1  f  nl(fi)  _  1\ 

2  V  2-2  2)  ' 


This  shows  our  constructions  improve  against  correlation  attacks  when  compared  to  the 
base  function. 


Proposition  5.4.5.  [75,  Proposition  1]  Let  f  =  fi  \\  h  ||  /3  ||  be  an  element  of  Bn+2 
where  n  is  even.  Let  fi  G  Bn  with  i  =  1, . . . ,  4  have  maximum  algebraic  immunity,  that  is 


AI(fi )  =  —  .  Let  fi  be  such  that  for  any  function  g  ofdeg(g)  =  e,  e  G 

we  have  deg(f\g)  =  d  >  AI(fi),  and  e  +  d  >  n.  Also  let  f\  —  fi  ©  1.  Then 


-  1 


Mf) 


+  1; 


which  shows  that  f  has  maximum  algebraic  immunity. 
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Using  Proposition  5.4.5,  we  can  further  infer  that  if  we  take  /1?  f2  G  Bn  with 
n  even  of  maximum  AI,  with  the  property  that  for  any  function  g  of  algebraic  degree 

~  Tl~  — 

1  <  e  <  -  -  1,  we  have  deg(/i£)  =  d  >  AI(f1)  and  e  +  d>  n,  then  /  =  /i|  |/2|  |/i|  |/2 

has  maximum  AI.  The  Boolean  functions  with  maximum  algebraic  immunity  are  called 
perfect  algebraic  immune  (PAI)  [78].  Liu  et  al.  introduced  the  notion  of  PAI  and  showed 
that  if  fi  is  a  balanced  PAI,  then  n  =  2k  +  1  for  some  k;  if  f\  is  unbalanced,  then  n  =  2k, 
for  some  k  [78,  Theorem  7].  Next,  we  present  the  results  related  to  normality  of  our 
constructions. 

Theorem  5.4.6.  [27]  Let  fi,  fj  G  Bn-2-  If  fi  or  fj,  whichever  does  not  have  its  comple¬ 
mentation  in  Construction  1,  is  k-normal,  then  the  functions  f  of  Construction  1  are  at 
least  (k  +  1) -normal. 

Proof.  Due  to  the  affine  equivalence  to  fi,  fj  is  A- normal.  If  f)  is  invariant,  say  0  on  a 
A-dimcnsional  flat,  then  f,  is  invariant  with  1  on  the  same  flat,  which  shows  that  f)  is  Ab¬ 
normal.  We  prove  for  the  case  /  =  f,\\  f:!\\  f,\\  f:l  only,  since  the  others  can  be  shown  by 
similar  arguments.  We  show  the  existence  of  a  (k  +  1) -dimensional  affine  subspace  where 
/(x)  is  a  constant.  Let  zi, . . .  zk  G  be  k  distinct,  linearly  independent  vectors  in  F^2, 
d  =  (di,  g?2,  . . . ,  dn- 2)  be  a  vector  in  F^-2,  and  at  G  F2  be  for  1  <  i  <  k.  We  define  a  k- 

dimensional  flat  G  =  {x  G  F^-2  |  x  =  api\  +  a2z2  4 - b  akzk  +  d,  a*  =  F2,  1  <  i  <  k} 

such  that  fi\c  =  0.  In  construction  of  /,  we  integrate  two  variables,  xn-i  and  xn  into  the 
domain  of  f,  and  we  can  construct  a  (k  +  1) -dimensional  flat  in  the  following  way.  Let 
Z I  =  (zn,  Z12,  •  •  • ,  Zj(„— 2))  Where  1  <  l  <  k.  We  set 

Z  \  =  (^l,^2,...,^(n-2),0,0), 

zk+ 1  =  (0)  •  •  •  1  0)  1); 

and 

d7  =  {di,d2,  •  • .  ,dn_2,0,0) 
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where  z7fc+1,  d7  G  F2.  Then 


G'  =  (x7  G  F2  |  x;  =  a  1  z'j  +  o2 z72  H - h  afc+iz7A.+1  +  d7,  a*  =  F2,  1  <  i  <  k  +  1}. 

If  a  vector  x7  G  G7  with  0^+1  =  0,  then  /  follows  the  first  f  ,  in  the  construction.  If  a  vector 
x7  G  G'  with  ak+i  =  1,  then  /  follows  the  third  f,  in  the  construction.  Therefore,  6"  is  a 
(A;  +  1) -dimensional  flat  such  that  /  \q>  =0.  □ 

Generally,  it  is  difficult  to  establish  a  proper  limit  to  the  normality  of  a  function.  Let 
fi  or  fj,  whichever  does  not  have  its  complementation  in  Construction  1,  be  A- normal  but 
not  k  +  1-normal,  and  we  show  that  the  function  /  of  Construction  1  cannot  have  a  constant 
function  value  on  the  k  +  2-dimensional  flat  H  =  {aie^  ©  •  •  •  ©  a*;+2eifc+2  ©  d},  where 
d  =  (?/i, . . .  yn)  is  a  fixed  vector  in  F2  and  eim  =  (x\, . . . ,  xn)  is  an  elementary  vector  such 
that  Xj  =  1  if  and  only  if  j  =  irn  with  1  <  irn  <  n.  We  assume  /  =  fi\\fj\\fi\\fj  since  the 
others  can  be  shown  by  similar  arguments.  Let  us  also  assume  that  H  exists.  We  observe 
that  yim  is  irrelevant  (whether  it  is  0  or  1)  due  to  eim ,  so  we  set  d  with  yh  —  ...  —  yik+2  =  0. 
To  illustrate  better,  we  rewrite  the  restriction  of  our  function  to  H  as  follows: 

f  (x)  |  H  =  (Xn-ifi  ©£n—  i/j)||(®n— lfi  ®Xn_Jj)  \H 

%n(jEn—lfi  ©  •En—lfj )  ©  -En^n—lfi  ©  %n—  if  j)  \  H 


%n—l(%nfi  ©  %nfi)  ©  ^ nfj )  | H 


fi  ffi  %n—lfi  ©  -Eri— if  j  ©  •^n—l^n  \  H- 

Without  loss  of  generality,  we  assume  /(x)  =  0  for  all  x  =  (x\, . . . ,  xn)  G  H,  and 
we  examine  the  following  cases,  depending  upon  the  values  of  xn-\  and  xn. 
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Case  1:  n  —  1,  n  ^  {4,  i2, . . . ,  ifc+2}-  Then  xn_  1  =  <4-i,  and  dn  =  xn.  We  observe  that 
for  all  possible  values  for  xn-\  and  xn,  f  n  is  one  of  the  functions,  f,,  fj,  or  f:j .  Since  each 
function  is  only  k- normal,  there  exists  at  least  one  x  GiA  such  that  /(x)|#  =  1,  which  is  a 
contradiction. 

Case  2:  n-1  ^  {4,  4,  •  •  • ,  4+2}  and  xn  G  {4,  i2,  ■  ■  ■ ,  4+2}-  Then  xn_i  =  e4-i-  If 

1  =  0,  then  regardless  of  the  value  of  xn,  f  \  h  follows  the  function,  ft .  We  note  that  we 
can  only  increase  the  normality  to  k  +  1  using  xn,  since  f,  is  A- normal.  Therefore,  there 
exists  at  least  one  x  eH  such  that  /(x) \H  =  1,  which  is  a  contradiction.  If  a:n_i  —  1,  f  \H 
follows  the  function,  fj  with  xn  =  0  or  f)  with  xn  =  1.  Clearly,  /  \  n  is  at  most  A- normal, 
since  fj  =  fj  ©  1.  So,  there  exists  at  least  one  x  eH  such  that  /(x)|h  =  1,  which  is  a 
contradiction. 

Case  3:  n  •  • .  ,4+ 2}  and  xn_v  G  ■  ■  •  ,4+ 2}-  Then  dn  =  xn.  If  =  0, 

then  /  //  follows  the  function,  /, 1 1  fj .  Also,  if  xn  =  1,  then  /  //  follows  the  function, 
fi\\fj.  In  both  instances,  we  can  only  increase  the  normality  to  k  +  1,  since  /t,  fj  and  fj 
are  Abnormal. 

Cc«e4:  xn-i,  xn  e  {4, 4,  •  •  •  ,4+2}.  In  this  case  /  |#  follows  411/,  ||  fr  \\fj  \H,  and  any  two 
vectors  x',  x"  G  TA  in  the  forms  of  x'  =  (ai, . . . ,  a„_2, 1,  0)  and  x"  =  (4, . . . ,  6n_2, 1, 1) 
with  ail  bi  G  F2,  1  <  1  <  n  —  2  have  opposite  function  values.  Therefore,  we  have  a 
contradiction. 

Under  what  conditions  the  functions  of  Construction  1  is  k  +  2-normal  remains  an 
open  problem.  Using  a  similar  approach,  we  can  show  a  similar  result  for  the  functions  of 
Construction  2. 

Theorem  5.4.7.  [27]  If  f,  is  k-normal,  then  the  functions  f  of  Construction  2  are  k  or 
k  +  1-normal. 

Proof.  We  prove  for  /  =  /,  ||/?  ||/,;  ||/:;  since  the  proofs  for  other  cases  are  similar.  Since  f% 
is  Abnormal,  /  is  at  least  Abnormal.  Also  we  observe  that  if  f,  =  fj,  then  we  have 

/  =  /iii/iii/iii/i- 
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Using  the  same  technique  in  Theorem  5.4.6,  we  show  the  existence  of  a  {k  +  1)- 
dimensional  affine  subspace  where  /(x)  is  a  constant.  Let  zi, . . .  z&  G  be  k  distinct,  linearly 
independent  vectors,  d  =  (di,d2,. . . ,  dn~  2)  be  a  vector  in  F2-2,  and  a*  G  F2  be  for  1  <  i  < 

k.  We  define  a  /c-dimensional  flat  G  =  {xG  F2~2  |  x  =  a1z1  +  a2z2-\ - fa^z^  +  d,  a*  = 

F2,  1  <  i  <  k}  such  that  Mg  —  0.  In  construction  of  /,  we  integrate  two  variables, 
xn-\  and  xn  into  the  domain  of  J),  and  we  can  construct  a  (k  +  1) -dimensional  flat  in  the 
following  way.  Let  z /  =  (zu,  zt2,  ■  ■ . ,  ^(n-2))  where  1  <  l  <  k.  We  set 

A  =  (*Jl,*J2,...,*J(n-2),0,0), 

zk+ 1  =  (O’  •  •  •  )  1)  0), 

and 

d7  =  (di,  d2, . . . ,  dn_ 2,  0,  0) 

where  z/fc+1,  d'  G  IF','  .  Then 


G'  =  {x7  G  F2  |  x7  =  a\z\  +  o2 z72  -I - h  afc+iz7fc+1  +  d7,  at  =  ¥2,  1  <  i  <  k  +  1}. 

If  a  vector  x7  G  G'  with  a/._  1  =  0,  then  /  follows  the  first  f  ,  in  the  construction.  If  a  vector 
x7  G  G7  with  Ofc+i  =  1,  then  /  follows  the  second  f,  in  the  construction.  Therefore,  6"  is  a 
k  +  1-dimensional  flat  such  that  f  \q>  =0.  Therefore,  the  theorem  holds.  □ 

We  also  present  a  similar  result  on  the  normality  of  the  functions  of  Construction  2. 
Let  fi  in  Construction  2  be  A  - normal  but  not  k  +  1-normal,  and  we  show  that  the  function 
/  of  Construction  2  cannot  have  a  constant  function  value  on  the  k  +  2-dimensional  flat 
H  =  {aie^  ©  •  •  •  ©  ak+2^ik+2  ©  d},  where  d  =  (yi, . . .  yn)  is  a  fixed  vector  in  F2  and 
elrn  =  (xi, . . . ,  xn)  is  an  elementary  vector  such  that  Xj  =  1  if  and  only  if  j  =  irn  with 
1  <  <  n.  We  assume  /  =  /,  ||/?  ||/t||/;,  since  the  others  can  be  shown  by  similar 


118 


arguments.  Let  us  also  assume  that  H  exists.  We  observe  that  yim  is  irrelevant  (whether  it 
is  0  or  1)  due  to  eim,  so  we  set  d  with  yir  —  . . .  —  yik+2  =  0.  To  illustrate  better,  we  rewrite 
the  restriction  of  our  function  to  H  as  follows: 

/(x)  | H  =  (' Xn--i.fi  ©  Xn-ifj)\\(xn-ifi  ©  Xn-i  fj)  \H 

Xn^n—lfi  ©  3'n—lfj)  ©  Xn(,Xn—lfi  ©  3'n—lfj)  \ H 


Xn—l{Xnfi  ©  Xnfi )  ©  Xn—\ (xnfj  ©  Xnfj )  ©  Xn 


=  fi  ©  Xn_ifi  ©  Xn-ifj  ©  xn  \H. 

Without  loss  of  generality,  we  assume  /(x)  =  0  for  all  x  =  (xi, . . . ,  xn)  G  H,  and 
we  examine  the  following  cases,  depending  upon  the  variables,  xn-\  and  xn. 

Case  1:  n  —  1,  n  £  (ii,  *2,  •  •  -  *  ik+ 2}-  Then  xn_i  =  dn- 1,  and  dn  =  xn.  We  observe  that, 
for  all  possible  values  for  xn_ ,  and  xn,  f  \H  follows  one  of  the  functions,  fi,  fj,  or  fj. 
Since  each  function  is  only  k- normal,  there  exists  at  least  one  x  e  H  with  /(x)  =  1,  a 
contradiction.  We  note  that  the  other  instances  where  a:y,_ ,  =  yhn  or  xn  =  ylrn  are  covered 
by  the  other  cases. 

Case  2:  n  -  1  f  {ii,  i2,  ■  ■  ■ ,  4+2}  and  xn  e  {h,  i2,  ■  ■  ■ ,  4+2}-  Then  xn_i  =  dn_  1.  If 
xn-\  =0,  f  \h  follows  the  function,  f,  or  fi.  We  know  each  function  is  A  -normal.  Since  /, 
and  fi  have  opposite  function  values  in  H,  there  exists  at  least  one  xeU  with  /(x)  =  1, 
a  contradiction.  If  x„_i  =  1,  /  \H  follows  fv  or  fj,  the  same  justification  applies,  and  we 
have  a  contradiction. 

Case  3:  n  ■  ■  ■  ,4+ 2}  and  xn-i  G  {4,4,  •  •  •  ,4+2}.  Then  =  xn.  If  xn  =  0, 

then  /  n  follows  the  function,  /.,  1 1  / j .  If  xn  =  1,  then  /  //  again  follows  the  function,  /,  1 1  / j- . 
In  either  case,  we  can  only  have  a  k  +  1-normal  function,  which  is  a  contradiction. 
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Case  4:  xn_u  xn  e  {h,i2,  ■  •  •  ,4+ 2}-  In  this  case  f \H  follows  /  =  /*||/i||/i||/i-  and  any 
two  vectors  x',  x"  e  H  in  the  forms  of  x1  —  («i, . . . ,  an_2,  0, 0)  and  x"  =  (61, . . . ,  bn- 2,  0, 1) 
with  a*,  bi  e  F2,  1  <  i  <  n  —  2  have  opposite  function  values.  Therefore,  we  have  a  con¬ 
tradiction. 

Remark  5.4.8.  References  [73],  and  [74]  contain  the  constructions  of  normal,  or  non¬ 
normal  functions  based  upon  some  of  the  functions  of  Construction  1,  namely  /i||/2|  |/2|  |/i, 
where  f  are  bent  or  have  some  normality  properties. 

Finally,  we  investigate  the  propagation  property  of  our  construction. 

Theorem  5.4.9.  [27]  If  the  base  functions  fi  and  /2  in  Construction  1  satisfy  the  strict 
avalanche  criterion,  then  f  satisfies  the  strict  avalanche  criterion. 

Proof  We  recall  that  we  add  two  variables  xn_i  and  xn  when  we  concatenate  the  functions. 
For  every  vector  y  e  F£,  write  y  =  (yn_2,  Un-i,  Vn)  with  yn_2  e  FI]-2.  We  shall  show 
the  claim  for  /  =  /1 1 1/2|  |/i  1 1/2,  as  all  the  other  possibilities  are  similar.  To  apply  Lemma 
2.3.9,  we  check  f  =  /(x)  ©  /(x  ©  a)  where  a  e  F£  of  weight  wt( a)  =  1.  We  consider 
three  possible  cases. 

Case  1.  Let  a  =  (0, . . . ,  0, 1).  Then, 

/ (x)  ©  /(x  ©  a)  =  (/i||/2)(xn_2,xn_i)xn  ©  (/i||/2)(xn_2,xri_i)xn 

®(/l|  |/2)(xn-2,  Xn-l)xn  ©  (/l  1 1  f2)  (xn-2)  %n-l)%n 

=  (/i||/2)(x„_2,a;n_i)  ©  (/i||/2)(xn_2,xn_i) 


Clearly,  it  is  a  balanced  function. 
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Case  2.  Take  a  =  (0, . . . ,  1,  0).  Then 


/(x)  ®/(x©  a) 

=  (/l|  |/2)(x„— 2,  xn-l)xn  ©  (/l  II/2)  (xn_2,  xn-i)xn 

©(/l||/2)(x„_2,Xn_i)xn  ©  (/l||/2)(x„_2,  Xn-l)xn 

=  /i(xn_2)xn_ixn  ©  /2(xn_2)xn_iX„  ©  /i(xn_2)x„_ixn  ©  /2(xn_2)xn_ixn 
©/l(x„-2)a:n-l^n  ©  f2(^n-2)Xn-lXn  ©  fl  (xn_2)xn_iXn  ©  /2  (x„_2)xn_ia:n 
=  /1  (xn_  2  )  ©  h  (xn-  2  )  ©  fl  (xn_  2  )  ©  /2  (x„-2  )  Xn 

=  fl  (X„-  2  )  ©  h  (Xn— 2  )  ©  2©  • 

which  is  balanced  regardless  of  f\  ©  f2  is  balanced  or  not. 
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Case  3.  Take  a  =  (a',  0,  0),  with  wt( a')  =  1.  Write  xa  =  xn_2  ©  a'.  Then, 
/(x)  ®/(x©  a) 


=  (/l||/2)(xn_2,xn_i)xn  ©  (/l||/2)(xn_2,xn_i)xn 


®(/l||/2)(xa,Xn_i)xn  ©  (/l||/2)(xa,Xn_i)x„ 


=  /i(xn_2)xn_iXn  ©  /2(xn_2)xn_iXn  ©  /i(xn_2)xn_iXn  ©  /2(xn_2)^n— l^n 


©/i(xa)^n-i^n  ©  /2(xa)a;n_iXn  ©  fi(x.a)xn-ixn  ©  /2(xa)a;n_ia;n 


=  (/i(xn_2)  ©  /l(xa))£n_i£„  ©  (/2(X„_2)  ©  f2(xa))Xn-lXn 

®(/l(xn_2)  ©  /i(xa))xn_iXn  ©  (/2(xn_2)  ©  /2(xa))xn_iX„ 

=  (/i(x„_2)  ©  /i(xa))xn_i  ©  (/2(xn_2)  ©  /2(xa))xn_i, 

which  is  balanced.  Since  f  \  and  f2  satisfy  the  strict  avalanche  criterion,  both  f\  (xn_2)  © 
ft  (x„-2  ©  a')  and  /2(xn_2)  ©  /2(xn_2  ©  a')  are  balanced.  We  note  that  f  is  balanced  for 
all  the  cases.  Then,  we  have 


C>(u)  =  0, 

for  all  u  e  F?  with  tcf(u)  =  1.  By  Lemma  2.3.9,  we  conclude  that  /  satisfies  the  SAC.  □ 


122 


Theorem  5.4.10.  [27]  With  {i,  j}  =  {1,  2},  if  fi,  fj  satisfy  the  strict  avalanche  criterion 
and  fi®fj  is  balanced,  then  the  functions  of  Construction  2  of  the  form  /,  1 1  f3  \  \  fj  1 1  /* ,  ft  \  \  fj  \  \  f)  \  f 
satisfy  the  strict  avalanche  criterion. 


Proof  For  every  vector  y  e  Fj,  we  write  y  =  (yn_2,  yn-i,  Un)  with  yn_2  G  F'^'2.  We 
show  the  claim  in  the  case  /  =  /1II/2II/2II/1,  as  all  the  other  possibilities  are  similar.  Let 
a  G  F2  of  weight  wt{ a)  =  1.  We  consider  these  three  cases. 

Case  1.  Take  a  =  (0, . . . ,  0, 1).  Then 

/ (x)  ©  /(x  ©  a)  =  (/i||/2)(xn_2,xn_i)xn  ©  (/2||/i)(xn_2,xn_i)xn 

©(/l||/2)(x„_2,xn_i)xn  0  (/2|  |/l)(xn_2,  Xn_i)Fn 

=  (/i||/2)(xn_2,a;n_i)  ©  (/2|  |/i)(xn_2,  xn-\) 

=  /l(x„_2)  ©  /2(xn_2)  ©  1. 

Since  /i(x„_2)  ©  /2(xn_2)  is  balanced,  its  complement  is  balanced. 
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Case  2.  Take  a  =  (0, . . . ,  1,  0).  Then 


/(x)  ®/(x©  a) 

=  (/l|  |/2)(x„— 2,  xn-l)xn  ©  (/2I  |/l)(xn— 2,  xn-i)xn 

©(/l||/2)(x„_2,xn_i)xn  ©  (/2||/l)(xn_2,  Xn-l)xn 
=  /i(xn_2)xn_ixn  ©  /2(xn_2)xn_iXn  ©  f2(xn-2)xn-lXn  ©  /i(xn_2)xn_ixn 
©/l(x„-2)a:n-l^n  ©  f2(Xn-2)Xn-lXn  ©  h  (xn_2)xn_iXn  ©  /i  (x„_2)xn_ia:n 
=  (/1  (xn_2)  ©  /2(xn_2))xn  ©  (/i(x„_2)  ©  /2(xn_2))a;n, 

=  /i(xn_2)  ®/2(xn_2), 

which  is  balanced. 
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Case  3.  Take  a  =  (a',  0,  0),  with  wt( a')  =  1.  Write  xa  =  xn_2  ©  a'.  Then, 

/(x)  ®/(x©  a) 

=  (/l||/2)(xn_2,xn_i)xfl  ®  (/2I  |/l)(xn_2,  Xn-l)xn 

®(/i||/2)(xa,xn_i)xn  ©  (/2I |/i)(xa,  xn_i)a;n 

=  /i(xn_2)xn_ixn  ©  /2(xn_2)xn_ixn  ©  /2(xn_2)xn_ixn  ©  /i(xn_2)xn_ixn 
©/i(xa)xn_ixn  ©  /2(xa)a;n_ xxn  ©  /2(xa)xn_ ixn  ©  /i(xa)a;n_ia;n 

=  (/i(x„_2)  ©  /i(xa))xn_ix„  ©  (/2(x„_2)  ©  /2(xa))x„_ixn 
®(/2(xn_2)  ©  /2(xa))xn_ ixn  ©  (/i(xn_2)  ©  /i(xa))xn_ixn 
=  (/i(xn_2)  ©  /i(xa))(l  ©  xn_i  ©  xn)  ©  (/2(xn_2)  ©  /2(xa))(xn_i  ©  xn) 

=  (/i(x„_2)  ©  /i(xa))||(/2(xn_2)  ®/2(xa))|| 

(/2(xn_2)  ©  /2(xa))||(/i(xn_2)  ©  /l(xa)). 

Since  /1  and  /2  satisfy  the  strict  avalanche  criterion,  both  /i(xn_2)©/i(x0)  and  /2(xn_2)© 
/2(xa)  are  balanced.  Therefore,  /  in  Case  3  is  balanced.  Since  /'  is  balanced  for  all  the 
cases,  we  have 
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Cf(  u)  =  0, 

for  all  u  G  with  wt{ u)  =  1.  By  Lemma  2.3.9,  we  conclude  that  /  satisfies  the  SAC.  □ 
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6.  AN  APPLICATION  OF  THE  TWO  CONSTRUCTIONS 


6.1.  INTRODUCTION 

In  this  chapter,  we  show  an  application  of  the  construction  methods  presented  in 
the  previous  chapter.  In  2002,  Krause  [79]  introduced  an  attack  against  stream  ciphers 
based  on  the  binary  decision  diagram  (BDD).  Several  researchers  have  demonstrated  the 
effectiveness  of  BDD-based  attacks,  and  it  has  been  difficult  for  functions  with  conven¬ 
tional  cryptographic  properties  to  counter  BDD-based  attacks.  Various  BDD-based  attacks 
are  found  in  [79],  [80],  [81],  [82],  and  [83].  One  way  to  counter  BDD-based  attacks  is  to 
integrate  Boolean  functions  with  robust  BDDs  [79].  There  have  been  many  constructions 
of  Boolean  functions  with  high  algebraic  immunity  [77],  [84],  [85],  [86],  [87],  [88],  [89], 
[90],  [91],  [92],  [93],  [94],  [95],  [96],  [97],  [98],  [99],  but  few  took  BDD-based  attacks  into 
consideration.  In  [100]  and  [101],  Bryant  showed  that  the  hidden  weighted-bit  function 
(HWBF)  has  an  exponential  size  of  BDD  regardless  of  variable  order,  and  in  [98],  Wang 
et  al.  extensively  investigated  the  cryptographic  properties  of  HWBF.  In  this  chapter,  we 
briefly  introduce  the  concept  of  the  BDD  and  apply  our  construction  methods  from  the 
previous  chapter  to  HWBF.  This  chapter  is  based  on  Chung,  Stanica,  Tan,  and  Wang  [27]. 

6.2.  BINARY  DECISION  DIAGRAM  (BDD) 

We  mention  briefly  relevant  findings  from  [102,  pp.  202-280],  which  covers  BDDs 
extensively.  Essentially,  a  BDD  is  a  tree  that  represents  a  perspective  on  a  Boolean  func¬ 
tion  in  which  redundant  nodes  are  removed.  The  BDD  is  an  insightful  way  to  represent  a 
Boolean  function,  since  it  shows  how  the  Boolean  function  data  is  stored  and  handled  in  a 
computer  memory  system  [102,  p.  202].  There  are  various  BDD  definitions  in  technical 
literature.  Here,  we  assume  the  BDD  has  ordered  vertices  or  nodes  from  the  lowest  at  the 
top  to  the  highest  at  the  bottom,  and  is  reduced  as  we  apply  the  reduction  steps  explained 
below.  We  illustrate  the  BDD  using  an  example  from  [102,  pp.  202-205].  Let  a  Boolean 
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function,  /,  be  described  as  in  Table  6.1.  A  graphical  way  to  represent  the  truth  table  /  is 
using  a  tree  structure  shown  Figure  6.1.  We  then  apply  a  reduction  algorithm  on  the  tree, 
in  which  we  remove  nodes  that  represent  a  function  also  represented  by  another  node  in 
the  BDD.  Then  we  connect  from  the  first  x2  to  any  0  node  and  from  the  second  x2  to  any 
1  node.  We  note  that  two  middle  x3  nodes  have  the  same  function  values,  so  we  combine 
them  along  with  the  edges  from  x2  nodes,  which  results  in  a  BDD  representation  of  /  in 
Table  6.2.  A  computer  memory  system  can  store  /  in  four  different  memory  blocks  repre¬ 
senting  the  nodes,  and  each  block  points  to  other  nodes  as  indicated  by  the  BDD  [102,  p. 
203].  The  size  of  the  BDD,  denoted  by  BDD(f)  is  the  number  of  vertices  in  a  BDD. 


X  =  XiX2X3 

000 

001 

010 

Oil 

100 

101 

110 

111 

/(x) 

0 

0 

0 

1 

0 

1 

1 

1 

Table  6.1:  Truth  Table  of  a  Boolean  Function  /  From  [102,  p.  205] 


Figure  6.1:  A  Tree  Representation  of  / 

It  is  shown  that  every  Boolean  function  has  a  unique  BDD  [102,  p.  205].  The 
following  are  some  benefits  of  considering  BDD  in  Boolean  function  analysis  [102,  p. 
206], 

1.  From  the  structural  point  of  view,  we  can  evaluate  /(x)  in  at  most  n  steps  by  follow¬ 
ing  the  edges  from  the  root  vertex. 
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— >  0 


Figure  6.2:  BDD  Representation  of  / 

2.  We  can  effectively  identify  the  lexicographically  smallest  x  such  that  /(x)  =  1  or  0 
in  at  most  n  steps. 

3.  We  can  find  all  x  e  such  that  /(x)  =  1  or  0  in  0(BDD(f )  •  n)  steps. 

4.  We  can  efficiently  generate  random  solutions  to  the  equation  /(x)  =  1  such  that  each 
solution  gets  generated  in  an  equal  probability. 

5.  We  can  solve  the  linear  Boolean  programming  problem:  Find  x  e  F£  such  that 

U\Xi  ©  U2X2  ©  ■  ■  ■  ©  Unxn  =  1, 

subject  to 

/(x)  =  1 

with  given  constants  (ui,u2,  ■  ■  ■  ,un)  in  0(n  +  BDD(f))  steps. 

6.3.  HIDDEN  WEIGHTED-BIT  FUNCTION  (HWBF) 

6.3.1.  Definition  of  HWBF 

In  general,  a  HWBF  hn  takes  x  =  (xn,  xn_i, . . . ,  aq)  as  input  and  outputs  aq  ,  where 
i  =  wt(x). 

Definition  6.3.1.  We  define  the  HWBF  of  n  variable,  denoted  by  hn  as 
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0,  if  wt{x.)  —  0 


( 


Mx)  =  { 


aW(x),  ifwt(x)>0 


For  example,  we  can  evaluate  /i4(x4,  x3,  x2,  aq)  on  F2  to  obtain  Table  6.2. 


h4(x4,X3,X2,X1) 

X4XsX2Xi 

h4(x4,x3,x2,x1) 

0000 

0 

1000 

0 

0001 

1 

1001 

0 

0010 

0 

1010 

1 

0011 

1 

1011 

0 

0100 

0 

1100 

0 

0101 

0 

1101 

1 

0110 

1 

1110 

1 

0111 

1 

1111 

1 

Table  6.2:  A  HWBF  with  n  =  4 


We  observe  that  /i4(0110)  =  1  since  wf  (0110)  =  2  (so  the  second  element  of  0110  which 
is  1  is  the  function  value).  Table  6.3  has  the  list  of  HWBFs  upto  n  =  8. 

One  of  the  interesting  characteristics  of  HWBFs  is  that  they  have  a  very  large  num¬ 
ber  of  nodes  when  represented  by  a  BDD  [79].  Specifically, 

BDD(hn)  =  cXn  +  0(n 2), 

where  x  ~  1.3247  is  the  positive  root  of 

X3  =  X  +  1 

and  c  ~  10.75115  [102,  p.  206], 

6.3.2.  Affine  Structure  within  HWBF 

In  order  to  implement  our  construction  methods  with  HWBFs,  we  need  a  class  of 
functions  affine  equivalent  to  the  HWBFs.  It  turned  out  that  a  HWBF  hn  is,  in  fact,  a  con¬ 
catenation  of  /in_  1  and  one  of  it  affine-equivalent  functions.  Let  0  be  the  left-rotation  sym¬ 
metric  operation  on  vectors  of  arbitrary  dimension,  say  (f>(xn,  xn_i, _ ,  xf)  =  (aq, . . . ,  x3,  x2). 
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n 

HWBF  of  n  Variable 

1 

01 

2 

0101 

3 

01010011 

4 

0101001100100111 

5 

0101001 10010011 1001001 100001 1 1 1 1 

6 

0101001 1001001 1 1001001 100001 1 1 1 1 
001001 100001 1 1100000100101 1 1 1 1 1 1 

7 

0101001 10010011 1001001 100001 1 1 1 1 
001001 100001 1 1100000100101 1 1 1 1 1 1 
001001 100001 1 1100000100101 111110 
0000100001 101001000101 1111111111 

8 

0101001 1001001 1 1001001 100001 1 1 1 1 
001001 100001 1 1100000100101 1 1 1 1 1 1 
001001 100001 1 1100000100101 111110 
0000100001 101001000101 1111111111 

001001 100001 1 1100000100101 111110 
0000100001 101001000101 1111111110 
0000100001 101000000101 101 1 101001 
00000001100101110111111111111111 

Table  6.3:  Hidden  Weighted-Bit  Functions 


In  [98],  Wang  et  al.  showed  that  the  HWBF  is  a  concatenation  which  can  be  iterated,  as 
shown  in  the  next  formula. 


hn(x i,x,xn_i,xn)  =  xn_i)||(/in_i  o  0)(xi,x,  xn-i) 


=/in_2(xi,x)||(/in_2  o  tj))(xi,  x)  |  |/in_2(x,  xn_i) 1 1 (hn-2  °  0)(x,  xn_i)  (6.1) 


where  x  =  (x2,  ■  ■  ■ ,  a; 2 )  £  FJ)  2.  Noting  this  phenomenon,  we  define  the  function  that 
describes  the  latter  half  of  the  HWBF. 
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Definition  6.3.2.  Given  the  HWBF  hn+ i,  the  latter  half  function  of  hn+ 1,  denoted  by  h!n  is 


hi 


( 

1  if  wt(x.)  =  n 

< 

xwt(x.)+ 1  if  0  <  wt(x)  <  n  —  1. 


On  the  other  hand,  we  call  the  other  half,  the  front  half  function,  which  is  hn-\.  So,  we 
have 


K+ 1  =  hn\\h'n. 

6.3.3.  Cryptographic  Properties  of  HWBF 

Wang  et  al.  extensively  investigated  the  cryptographic  properties  of  HWBFs  in 
[98].  We  list  their  findings  briefly.  Given  hn  e  Bn  where  hn  is  an  HWBF,  the  following 
statements  are  true: 


•  hn  is  balanced. 

•  deg (hn)  —  n  —  1  for  n  >  3. 

•  hn  satisfies  SAC. 

•  Let  u  =  (ui,  U2,  ■  ■  ■ ,  un)  and  wt( u)  =  1.  Then, 

H,‘(u)-4(S)- 

•  hn  has  nonlinearity 

nl(hn)  =  2”_1  —  2(p1_2j^  • 

•  hn  has  algebraic  immunity 


AI(hn)  > 


(6.2) 


(6.3) 
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•  hn  is  a  [|J  -normal  function,  and  h  is  not  A-normal  for  any  k  >  [|J . 

Remark  6.3.3.  We  refer  back  to  Table  6.3.  We  note  the  string  of  l’s  at  the  end  of  the  truth 
tables  for  each  n.  The  pattern  suggests  that  given  n  >  5,  we  may  have  at  least  last  n  bits  to 
be  1.  We  ask  if  it  is  possible  to  exploit  it.  If  an  attack  is  possible,  then  what  is  the  best  way 
to  mitigate  the  risk? 

6.4.  CONSTRUCTION  BASED  ON  HWBF 

For  our  constructions,  we  let  {/*,  f)}  =  {hn- 2,  h'n_2}.  Then,  we  have, 

Construction  1. 


/.  II  Si  II  /.  II  Sr,  Si  II  Si  II  Si  II  Si ;  Si  II 1,  II  S,  II  Sr,  Si  II  S,  II  /.  II  Sr 


Si  II  Si  II  S,  II  Sr  /.  II  Si  II  h  II  Sr  S,  II  U  II  Si  II  Sr  U  II  S,  II  Si  II  /.- 


Construction  2. 


fi  II  /,  II  L  II  h  fi  II  fj  II  fj  II  k  fi  II  fj  II  fi  II  f,\  ft  II  fj  II  fj  II  k 


Theorem  6.4.1.  [27]  Let  n  >  4  and  /i||/2  =  /rn_2  ||  h'n_2  =  hn_ i,  the  (n  —  1)-  variables 
HWBF.  Then,  all  of  the  functions  f  from  Construction  1  are  balanced  of  degree  max{n  — 
2,  2},  have  nonlinearity 

ni(/)^--4(r(;_-;/21). 


and  have  algebraic  immunity 
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AI{f)  > 


n  +  2 
3 


Proof.  Clearly,  all  functions  in  Construction  1  are  balanced  since  hn-2  and  h'n_2  are  bal¬ 
anced.  Furthermore,  for  any  concatenation  gi\\g2  G  Bn  where  (]\,  g2  G  £>n_i, 

deg(gi||g2)  =  max{deg(5f!),  deg(gi  ©  g2)  +  1} 

since 


gi\\g2  =  {xn®l)gi®xng2 


=  xn(g1@g2)@g\. 


Thus, 


deg(/i| |/2| |/i| |/2)  =  max{deg(/i| |/2), deg((/i||/2)  ©  (/1 1 1/2))  +  1} 

=  max{n  —  2,  deg(02«-2l2™-2)  +  1} 

=  max{n  —  2,2}, 

where  we  write  0S,  or  ls,  for  a  truth  table  with  the  corresponding  bit  repeated  s  times. 

Next,  we  do  the  computation  for  only  one  case.  The  others  are  similar.  Let  /  = 
/1II/2I |/i| I/2-  We  show  that 


max  |W/(w)|  =  8 


n  —  4\ 

rw 
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We  use  Lemma  5.4.1,  with  r/,  =  hn^  =  /i||/2,  92  =  /1II/2,  fi  =  K-2,  and 
/2  =  h'n_2.  As  in  the  proof  of  Theorem  5.4.4,  we  have 

w>(u,  =  (i  +  (-i)“»)  ^(^  +  (-1)^(1-  (-in  wh{u) 

where  u  e  ¥2~2. 

Thus, 

Wf(u,un~i,0)  =  2  Wfl(u) 

and 

Wf(u,un-i,l)  —  2(—l)Un-1Wf2(u). 

Since  /i(u)  =  /r„_2( u)  and  /2(u)  =  /ijl_2(u)  and  max  |VLftn(u)|  =  4(2^1)  by 

ueF"-2  1  2  I' 

Equation  6.2,  it  follows  that 

max  \Wf(u,un-i,un)\ 

(u,un-i,un)e¥% 

=  2  max  <  max  |Whn_2(u)|,  max  \Whn_2((/)(u))\ 

I  ueFj-2  ueFj-2 

By  Theorem  2.3.4,  the  nonlinearity  of  the  functions  in  Construction  1  is 

«'(/>  =  2”-‘-4tei> 

We  now  deal  with  the  computation  of  the  algebraic  immunity  for  the  considered 
functions.  By  Theorem  4  of  [98],  let 

Tl 

AI{hn )  =  dn  >  —  +1. 
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Since  hn  ~  h'n,  we  can  construct  an  annihilator  of  h!n  by  the  same  affine  transformation 
between  hn  and  h!n. 

AI(hn)  =  AI(h'n). 

By  the  definition  of  algebraic  immunity, 


AI(g)  =  Alfa ) 

for  any  Boolean  function  g,  and  also, 


Ai{fi\\fi)  =  mu  m, 


and  by  Lemma  5.4.3, 


for  {j,  j}  =  {1,  2}. 

So  without  loss  of  generality,  we  will  only  consider  the  case  of  /  =  fi  |  |/2|  |/i  1 1/2. 
Let  g  =  5fi||^2||^i||^2  7^  0  be  a  nonzero  annihilator  of  /.  Thus,  gi,  k\  are  both  annihila- 
tors  of  fi,  and,  g2,  respectively,  k2  are  annihilators  of  f2,  respectively,  f2  such  that  each 
annihilator  is  a  nonzero  function. 

First,  since  gi\\g2  is  an  annihilator  of  fi  \  \  f2  =  hn- 1,  it  follows  that  deg((7i \\g2)  =  0, 
if  both  g1  —  g2  —  0,  or  deg(gi\\g2)  >  dn-\-  Also,  we  observe  that  deg(gi  ©  ki)  is  either 
0,  if  gi  =  ki  —  0  or  gx  =  k\  ^  0.  Otherwise,  deg((?i  ©  k\)  >  dn- 1,  since  g\  ©  k\  is  an 
annihilator  of  f\.  Now,  the  degree  of  the  concatenation  g  —  gi  \  \g2\  \ki\  \k2  is 

deg(fi-)  =  max{deg(#i||£2),deg((£i  ©  A:i)||(^2  ©  fa))  +  !}• 
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Next,  we  analyze  the  components  of  the  set  above.  We  see  that 


deg(<?i||<?2)  =  max{deg(gi),  deg(gi  ©  g2)  +  1}, 


and 


deg((<7i  ©  ki)\\(g2  ©  k2))  =  max{deg(^i  ©  h),deg(gi  ©  g2  ©  h  ©  k2)  +  1}. 


If  we  minimize  max  {deg  (7/ i  ©  kf),  deg(<?i  ©  #2  ©  &i  ©  k2)  ©  1},  we  have  the  worst 
case  when  gx  =  k\  and  g2  =  k2.  Then, 


deg(g)  =  max{deg(^i||^2),l}  > 

by  Equation  6.3.  □ 

Theorem  6.4.2.  [27]  Let  n  >  3  and  fi\\f2  =  hn-i,  the  (n  —  1  )-variables  HWBF.  All  of  the 
functions  f  from  Construction  2  are  balanced,  have  degree  n  —  2,  have  nonlinearity 


+  1  = 


n  +  2 


nl(f)  =  2n_1  -  4 


n-  3  \ 

r(n-3)/2]J’ 


/lave  algebraic  immunity 


n  +  2 
3 

c/n<7  /ic/ve  resiliency  of  order  1. 


^(/)  > 


Proof  The  functions  in  Construction  2  are  balanced  regardless  of  the  balancedness  of  fi 
and  f2  and  their  complements.  We  will  consider  only  some  cases,  since  the  others  follow 
similarly.  If  there  is  a  noteworthy  difference,  we  will  point  it  out  as  necessary.  Let  /  = 
fi  1 1/2 1 1  fi  1 1/2.  Clearly, 
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deg(/i| |/2| l/il |/2)  =  max{deg(/1||/2), deg((/i||/2)  ©  (/i||/2))  +  1} 


=  rnaxjn  —  2,  deg(02™-i)  +  1} 

=  max{n  — 2,1}. 

=  n  —  2 

for  n  >  3.  For  the  other  possibilities,  if  /  =  /i  1 1./2|  I/2I  |/i , 

deg(/i| |/2| |/2| l/i)  =  max{deg(/i||/2),deg((/i||/2)  ©  (/2||/i))  +  1} 

=  max{n  -  2,deg((/i  ©  /2)||(/2  ©  A))  +  1} 

=  max{n  -  2,  deg(A  ©  /2)  +  1} 

=  rnax{n  —  2,  n  —  2} 

=  n  —  2. 
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Next,  by  Lemma  5.4.1  with  g1  =  hn_  1  =  /i||/2,  g2  =  h\\h,  fi  =  2,  and 

f2  =  h'n_2,  as  in  Theorem  5.4.4  we  have 

W,  (u,  =  (1-(-1)“»)(H'>,(u)  +  (-1)“-H'>2(u)) 


=  (1  -(-!)“») 


where  u  e  2 .  We  now  get 


max  |W/(u,wn_i,wn)| 

(u,un_i,«n)eF^ 

by  Equation  6.2.  Therefore,  we  have 


8 


n  —  3 

r¥i 


^)=: 2”"-4(?^i) 

by  Theorem  2.3.4. 

To  show  resilience  of  order  1,  we  will  prove  that  the  functions  in  Construction 
2  are  correlation  immune  of  order  1  since  the  function  is  already  balanced.  The  case 
of  /1 1 1/2 1 1 A 1 1/2,  or  A I  |A  |  |/i  1 1/2,  is  straightforward.  Let  /  =  /i|  |/2|  |  A 1 1  A-  To  show 
correlation  immunity  of  order  1,  we  need  to  show  that  lT/(w)  =  0  for  any  vector  w 
with  wt{ w)  =  1  by  Lemma  2.3.15.  It  turns  out  that  this  will  follow  simply  by  us¬ 
ing  the  balancedness  of  f\  and  f2  and  not  the  HWBL  property.  By  Lemma  5.4.1,  if 
wt(u,un-i,un)  =  1,  we  have 


W,( u, =  (1  -  (-!)«»->+«»)  ( 1-17,(11)  +  (-1)«— H^(u)). 


Now,  if  wt(un-i,  un)  =  1,  then  u  =  0.  Since  f\  and  f2  are  balanced, 


Wh(u)  =  Wh(  u)  =  0. 
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If  wt(un- 1,  un)  =  0,  we  have 


1  -  (-1)“"- 


1  +% 


0. 


Therefore, 


W)(u,  =  0, 

where  wt(wt( u,  un-i,un)  =  1,  and  the  functions  have  the  resiliency  of  order  1. 

The  computation  of  the  algebraic  immunity  is  similar  to  the  one  in  the  proof  of 
Theorem  6.4.1.  Let  /  =  /1II/2II/1II/2.  We  see  that 

AI(f1\\f2)=AI(f1\\f2). 

Additionally,  by  the  definition  of  algebraic  immunity,  the  annihilator  used  to  justify 
the  AI  of  /i||/2  or  f\  |/2  can  be  the  same  function.  Let  g  =  r/j  |  \g2  ^  0  be  a  nonzero 
annihilator  of  /  where  g\,  r/2  <G  1 .  The  degree  of  the  concatenation  //  =  ry ,  |r/2  is 

deg(fi-)  =  max{deg(<?i),  deg(#i  ©  g2)  ©  1}. 

We  observe  that  this  value  takes  a  minimum  when  gi  =  g2.  So  we  have 

min{deg(g)}  =  ruin  {  max  {deg(r/i),  deg(#i  ©  g2)  ©  1}} 


=  deg  (01) 


71—1 

3 


+  1 


n  +  2 
3 
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by  Equation  6.3,  which  gives  us  AI (/)  >  •  □ 

We  see  that  Theorems  5.4.6  and  5.4.7  apply  to  the  normality  of  the  Construction  1 
and  2  functions,  respectively. 

Example  6.4.3.  We  present  a  snapshot  of  a  performance  comparison  between  the  base 
function  HWBF  and  a  function  of  Construction  1.  Let  f  =  fi\\  fi  ||  f\  ||  fi-  In  Table  6.4, 
one  can  find  the  algebraic  immunity  and  nonlinearity  of  /,  compared  to  the  HWBF  hn. 


n 

A 1(f) 

M{h) 

nl{f) 

nl(hn ) 

7 

3 

3 

52 

44 

8 

4 

4 

104 

88 

9 

4 

4 

216 

186 

10 

5 

4 

432 

372 

11 

5 

5 

884 

772 

12 

5 

5 

1768 

1544 

13 

6 

5 

3592 

3172 

14 

6 

5 

7184 

6344 

15 

6 

6 

14536 

12952 

Table  6.4:  Algebraic  immunity  and  nonlinearity  of  the  HWBF-based  /  and  the  HWBF  h 
From  [27] 


As  for  the  algebraic  immunity,  let  fg  =  hn,  deg (g)  =  d  and  deg (hn)  =  e.  In  Table 
6.5,  we  present  the  lowest  possible  values  of  (d,  e)  needed  for  the  fast  algebraic  attack. 


n 

7 

8 

9 

10 

11 

12 

13 

(d,e) 

(1,3) 

(1,5) 

(1,5) 

(1,7) 

(1,7) 

(1,9) 

(1,9) 

(2,4) 

(2,4) 

(2,4) 

(2,5) 

(2,6) 

(2,8) 

(2,8) 

(3,3) 

(3,4) 

(3,4) 

(3,5) 

(3,5) 

(3,6) 

(3,6) 

(4,5) 

(4,5) 

(4,6) 

(4,6) 

(5,6) 

Table  6.5:  Behavior  of  the  HWBF-based  function  /  against  Fast  Algebraic  Attacks  From 
[27] 


Remark  6.4.4.  We  briefly  mention  some  tentative  results  on  our  constructions  with  the 
Carlet-Feng  function.  Let  /i  e  B\q  be  the  Carlet-Feng  function  with  the  primitive  poly- 
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nomial 

x 10  +  x6  +  x5  +  x3  +  x2  +  x  +  1 

and  /2(x)  =  fi(Ax),  where 

A  =  (e1?  e2,  e3,  e4,  e5,  e10,  e6,  e7,  e8,  e9) 

and  e*  e  F3,0  is  the  unit  column  vector  with  1  on  the  i-th  position  and  0’s  elsewhere. 
Let  /  =  /i||/2||/i||/2  G  B\2-  Then,  we  computed  AI(f)  =  6  and  n/(/)  =  1992.  In 
comparison,  the  nonlinearity  of  the  12-variable  Carlet-Feng  function  discussed  in  [96]  and 
[97]  is  only  1970.  Also,  the  recent  12-variable  functions  constructed  by  Construction  1 
and  2  of  [96]  have  the  nonlinearity  at  most  1988  and  1982,  respectively.  Our  constructions 
compare  well  to  competitive  constructions  with  good  cryptographic  properties. 
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7.  CONCLUSION  AND  FUTURE  RESEARCH 


7.1.  CONCLUSION 

In  this  dissertation,  we  studied  the  affine  equivalence  of  Boolean  functions,  the 
relationship  between  Boolean  functions  and  graphs,  and  the  construction  techniques  of 
Boolean  functions  and  their  applications.  Affine  equivalence  of  Boolean  functions  still  re¬ 
mains  a  tough  challenge  for  researchers.  We  defined  S-equivalence,  a  special  type  of  affine 
equivalence  based  on  permutation  of  variables,  and  our  research  focused  on  S-equivalence 
of  MRS  functions  and  circulant  matrices  of  F2.  We  established  a  relationship  between 
MRS  functions  and  the  circulant  matrices  of  F2.  We  explored  the  group  structure  of  the 
circulant  matrices  of  F2  and  found  a  pattern  of  the  square  of  a  circulant  matrix  of  F2.  This 
pattern  ultimately  helped  us  to  a  series  of  properties  of  MRS  functions  of  which  circu¬ 
lant  matrices  are  singular,  but  have  pseudo  inverses.  We  showed  a  condition  in  terms  of 
generating  polynomials  for  a  singular  circulant  matrix  in  F2  to  have  a  general  or  reflexive 
inverse.  We  defined  a  dual  function  for  an  MRS  function  with  respect  to  the  inverse  of  the 
circulant  matrix  of  the  function.  We  then  showed  that  two  S-equivalent  functions  have  the 
same  degree  in  ANF,  and  their  dual  functions  have  the  same  degree.  We  also  showed  that 
if  two  MRS  functions  of  which  circulant  matrices  are  P-Q  equivalent,  they  have  the  same 
degree.  Moreover,  if  the  matrices  are  invertible,  their  dual  functions  have  the  same  degree, 
and  a  circulant  matrix  of  one  of  the  original  functions  is  a  permutation  of  the  other. 

We  developed  an  idea  to  represent  an  MRS  function  in  a  graph  using  the  cycles 
generated  by  the  ordered  short  algebraic  normal  form  (OSANF)  of  the  function.  We  illus¬ 
trated  that  this  graph  is  regular.  We  showed  that  the  graph  is  ultimately  determined  by  the 
sequential  differences  of  the  indices  of  variables  in  OSANF.  We  described  the  relationship 
between  this  property  and  the  construction  of  MRS  functions. 

We  considered  two  effective  constructions  of  cryptographic  Boolean  functions,  which 
use  a  base  function  with  strong  cryptographic  properties,  one  of  its  affine  equivalent  func- 
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tions,  and  simple  construction  techniques,  namely  complementation  and  concatenation. 
This  strategy  reinforces  the  two  important  requirements  for  cryptographic  functions,  namely 
security  and  speed.  Security  is  clearly  a  must  requirement.  However,  if  a  cryptographic 
function  requires  an  unreasonable  amount  of  computing  power  or  hard-to-implement  hard¬ 
ware  or  software,  it  cannot  be  utilized  effectively.  We  presented  an  application  of  the 
constructions,  using  hidden  weighted-bit  functions. 

In  summary,  we  cleared  some  trenches  on  the  way  to  a  complete  understanding  of 
the  affine-equivalence  problem  of  Boolean  functions.  We  further  presented  two  effective 
constructions  for  cryptographic  Boolean  functions. 

7.2.  FUTURE  WORK 

In  this  dissertation,  we  explored  various  areas  of  Boolean  functions.  We  solved 
some  related  problems  in  the  process,  but  we  could  not  solve  all  the  problems.  We  present 
a  partial  list  of  problems  worth  considering. 

1.  Prove  or  disprove  “If  f  ~  g  with  singular  matrices  Aj  and  Ag,  and  wt(A(f))  = 
wt(A(g)),  then  wt(A(p))  =  wt( A(g^)),  where  p  and  are  pseudoinverses  of  f 
and  g,  respectively 

2.  We  propose  a  thorough  analysis  of  the  CCGs.  More  graph-theoretic,  number-theoretic, 
and  combinatorial  analyses  can  be  done.  One  can  also  study  the  relationship  between 
the  CCG  and  cryptographic  properties.  One  can  expand  the  concept  of  CCG  and  de¬ 
velop  a  CCG-like  structure  for  all  RSBFs. 

3.  Extend  the  cryptographic  analysis  of  Constructions  1  and  2  to  GAC,...,  etc.  Study 
more  applications  of  the  constructions  using  other  functions. 

4.  The  BDD  of  Boolean  functions  has  an  interesting  set  of  operations.  Their  effects 
on  various  cryptographic  properties  of  Boolean  functions  would  be  a  worthwhile 
project. 
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5.  HWBFs  seem  to  display  predictable  patterns  in  the  second  half  of  a  truth  table.  An 
interesting  project  will  be  to  engineer  another  class  of  cryptographic  Boolean  func¬ 
tions  with  high  BBD  size,  but  without  the  predictability. 
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